The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
GSMA Research Outputs
https://cis-india.org/internet-governance/blog/gsma-research-outputs
<b>This is a collection of research under our GSMA project that we have undertaken in collaboration with Privacy International. The research has sought to understand different legal and regulatory aspects of security and surveillance in India and consists of blog entries and reports. Any feedback or comment is welcome. </b>
<h3>Indian Law and the Necessary Proportionate Principles</h3>
<p style="text-align: justify; ">The presentation shows that there are no comprehensive provisions for the principles of legitimate aim, competent judicial authority, proportionality, transparency, etc. whereas these are partially present for the principles of legality, necessity, adequacy, public oversight, safeguards for international cooperation, etc. The presentation also looks at the Indian intelligence agencies and shows us that there are nine agencies authorized to intercept communications along with at least eleven additional agencies. It further dwelves into the establishment and structure of Indian intelligence agencies and whom they report to, the sharing of information internationally as well as nationally. It shows us that India has MLAT agreements with 36 countries and request to CBI can be initiated informally or formally through court order. It then lists out the various regulatory and important bodies responsible for national security. Some cases of unlawful interception / leaks have been discussed along with examples of arrests based on digital evidence. The various government schemes, the telecommunication companies in India, telecom licenses requirements, government developed security and surveillance solutions, private security companies, security expos, export, import and selling of security and surveillance equipment, and the way forward are also discussed.</p>
<p><a href="https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Security, Surveillance and Data Sharing Schemes and Bodies in India</h3>
<p style="text-align: justify; ">Following the 2008 Mumbai terrorist attacks, India had implemented a wide range of data sharing and surveillance schemes. Though developed under different governments the purpose of these schemes has been to increase public safety and security by tackling crime and terrorism. As such, two data sharing schemes have been proposed - the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & Systems (CCTNS), as well as several surveillance systems, such as the Lawful Intercept and Monitoring (LIM) system, the Network Traffic Analysis system (NETRA), state Internet Monitoring Systems and the Central Monitoring System (CMS). This chapter details the various schemes and provides policy recommendations for their improvement, with regards to the protection of the right to privacy and other human rights.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/security-surveillance-and-data-sharing.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Export and Import of Security Technologies in India: QA</h3>
<p style="text-align: justify; ">The write-up examines in question-answer format the standards regulating the export of technologies that can be used for surveillance purposes, the department and legislation that governs exports and imports of security technologies in India, the procedure for obtaining an export licence for the export of SCOMET items, what is ITC (HS) and why is it important, and examples of ITC codes for technologies that can facilitate security or surveillance. The research finds answers to all these queries.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/export-and-import-of-security-technologies-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Regulation of CCTV’s in India</h3>
<p style="text-align: justify; ">In light of the increasing use and installation of CCTV’s in cities across India, and the role that CCTVs play in the Home Ministry's plans for implementing "Mega Policing Cities", this blog seeks to review various attempts to regulate the use of CCTV's in India, review international best practices, and provide preliminary recommendations for the regulation of CCTV's in India.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/regulation-of-cctvs-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Mutual Legal Assistance Treaties (MLATs) and Cross Border Sharing of Information in India</h3>
<p style="text-align: justify; ">It is unclear the exact process that intelligence agencies in India share information with other agencies internationally. India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training is designated as the National Central Bureau of India.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/mlats-and-cross-border-sharing-of-information-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>Composition of Service Providers in India</h3>
<p style="text-align: justify; ">Telecom, at present, is one of the fastest-growing industries in India. As of January 2014, according to the Telecom Regulatory Authority of India (TRAI) there are 922 million wireless and over the wire subscribers in India, and 56.90 million broadband subscribers including wired, wireless and wimax subscribers. India’s overall wireless teledensity was quoted as having 893.31million subscribers, with a 0.79% (7.02 million) monthly addition.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/composition-of-service-providers-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">The Surveillance and Security Industry in India - An Analysis of Indian Security Expos</h3>
<p style="text-align: justify; ">The ‘Spy Files’, a series of documents released by whistleblower website WikiLeaks over the last few years, exposed the tremendous growth of the private surveillance industry across the world – a multi-billion dollar industry thriving on increasing governmental and private capabilities for mass surveillance of individuals. These documents showed how mass surveillance is increasingly made possible through new technologies developed by private players, often exploiting the framework of nascent but burgeoning information and communication technologies like the internet and communication satellites.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/surveillance-and-security-industry-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3>An Analysis of News Items and Cases on Surveillance and Digital Evidence in India</h3>
<p style="text-align: justify; ">In a technologically advanced era, with preponderance of electronic communications in both professional and social interactions and the ability to store such information in digital form, digital evidence has gained significance in civil as well as criminal litigation in India. In order to match the pace with the progressive technology, the Indian Courts have embarked on placing more and more reliance on the digital evidence and a portion of such digital evidence is obtained through electronic surveillance.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-and-digital-evidence-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">Policy Recommendations for Surveillance Law in India and an Analysis of Legal Provisions on Surveillance in India and the Necessary & Proportionate Principles</h3>
<p style="text-align: justify; ">The Government of India has created a legal framework which supports the carrying out of surveillance by authorities through its various laws and license agreements for service providers. The Centre for Internet and Society (CIS) acknowledges that lawful, warranted, targeted surveillance can potentially be a useful tool in aiding law enforcement agencies in tackling crime and terrorism. However, current Indian laws and license agreements appear to overextend the Government's surveillance capabilities in certain cases, while inadequately safeguarding individuals' right to privacy and data protection.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/policy-recommendations-for-surveillance-law-in-india-and-analysis-of-legal-provisions-on-surveillance-in-india-and-the-necessary-and-proportionate-principles.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">The Surveillance Industry in India</h3>
<p style="text-align: justify; ">India has the world's second largest population, an expanding middle class and undoubtedly a huge market which attracts international investors. Some of the world's largest corporations have offices in India, such as Google Incorporated and BlackBerry Limited. In the Information Age, the market revolves around data and companies which produce technologies capable of mining such data are on the rise. Simultaneously, companies selling surveillance technologies appear to be on the peak too, especially since the global War on Terror requires law enforcement agencies around the world to be equipped with the latest surveillance gear.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/surveillance-industry-india.pdf" class="external-link">Click to download the PDF</a></p>
<h3 style="text-align: justify; ">State of Cyber Security and Surveillance in India: A Review of the Legal Landscape</h3>
<p style="text-align: justify; "><br />The issue of cyber security and surveillance, especially unauthorised surveillance, though traditionally unprioritised, has recently gained much traction due to the increasing number of news reports regarding various instances of unauthorised surveillance and cyber crimes. In the case of unauthorised surveillance, more than the frequency of the instances, it is their sheer magnitude that has shocked civil society and especially civil rights groups. In the background of this ever increasing concern regarding surveillance as well as increasing concerns regarding cyber security due to the increased pervasiveness of technology in our society, this paper tries to discuss the legal and regulatory landscape regarding surveillance as well as cyber security.</p>
<p style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-india.pdf" class="external-link">Click to download the PDF</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gsma-research-outputs'>https://cis-india.org/internet-governance/blog/gsma-research-outputs</a>
</p>
No publisherelonnaiGSMA ResearchInternet GovernancePrivacy2015-04-06T14:18:18ZBlog EntryIndian Law and the Necessary Proportionate Principles
https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf
<b></b>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf'>https://cis-india.org/internet-governance/blog/indian-law-and-necessary-proportionate-principles.pdf</a>
</p>
No publisherelonnai2015-03-14T02:15:32ZFileThe Centre for Internet and Society joins Worldwide Campaign to Discover Depth of GCHQ's Illegal Spying
https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying
<b>The Centre for Internet and Society has joined an international campaign to allow anyone in the world to request whether Britain’s intelligence agency GCHQ has illegally spied on them.</b>
<p style="text-align: justify; ">The platform and campaign has been developed in response to a recent court ruling that GCHQ unlawfully obtained millions of private communications from the NSA up until December 2014. This decision allows not only British citizens, but anyone in the world, to ask GCHQ if the individual’s records were unlawfully shared by the NSA.</p>
<p>Individuals who wish to take part in this process can sign up here: https://www.privacyinternational.org/illegalspying</p>
<p style="text-align: justify; ">Privacy International intends to collate the inquiries from around the world and submit them to the UK Investigatory Powers Tribunal. Those who have been found to have been illegally spied on can then seek the deletion of their records, including emails, phone records, and internet communications. Given the mass surveillance capabilities of the NSA and GCHQ, and that the agencies “share by default” the information they collect, an unlimited number of people could have been affected by the unlawful spying.</p>
<p style="text-align: justify; ">The Investigatory Powers Tribunal, the UK court solely responsible for overseeing intelligence agencies, ruled on 6 February that intelligence sharing between the United States and the United Kingdom was unlawful prior to December 2014, because the rules governing the UK’s access to the NSA’s PRISM and UPSTREAM programmes were secret. It was only due to revelations made during the course of this case, which relied almost entirely on documents disclosed by Edward Snowden, that the intelligence sharing relationship became subject to public scrutiny.</p>
<p>The decision was the first time in the Tribunal’s history that it had ruled against the actions of the intelligence and security services.</p>
<p style="text-align: justify; ">According to the Centre for Internet and Society – this is a great example of transparency and the ability for individuals to access information held by the government. It is also an important step towards government accountability with respect to state surveillance.</p>
<p>Eric King, Deputy Director of Privacy International, said:</p>
<p style="text-align: justify; ">“We have known for some time that the NSA and GCHQ have been engaged in mass surveillance, but never before could anyone explicitly find out if their phone calls, emails, or location histories were unlawfully shared between the US and UK. The public have a right to know if they were illegally spied on, and GCHQ must come clean on whose records they hold that they should never have had in the first place.</p>
<p style="text-align: justify; ">There are few chances that people have to directly challenge the seemingly unrestrained surveillance state, but individuals now have a historic opportunity finally hold GCHQ accountable for their unlawful actions.”</p>
<hr />
<h2>Brief on “Did GCHQ Spy on You Illegally?”</h2>
<p style="text-align: justify; ">Privacy International on Monday February 16th 2015 launched a campaign and platform allowing people to ask the UK’s surveillance court, the Investigatory Powers Tribunal, if GCHQ spied on people illegally. This comes on the heels of our recent legal victory in the IPT, who found that all intelligence sharing from the NSA to GCHQ prior to December 2014 was unlawful.<br /><br />As on February 17th night, we had over 10,000 signatures, and at the end of today we expect to have more updated figures. <br /><br />While this has been successful thus far, we need your help!<br /><br />We need the support of other organisations to truly make this work, and we want your organisation to join as a partner. Being a partner in this can look a few different ways: you can send out emails to your organisation's members, tweet out the links to the platform, or send out a press release to your media contacts telling them you joined the effort.<br /><br />We hope you can join, and below we try to address some questions we've been getting about the campaign. There's also an additional FAQ more specifically addressing the campaign itself.</p>
<h3>What is PI doing?</h3>
<p style="text-align: justify; ">Simply put: Giving people the chance to remedy illegal government activity and hold intelligence agencies accountable. When someone submits their information through this platform, they are allowing us to go to the IPT on their behalf to find out if they were illegally spied on by GCHQ. <br /><br />People could have gone directly to the IPT to ask, but that process is difficult to engage in. We wanted to create a simple, low-barrier way to give people the chance to find out if they were victims of illegal spying.</p>
<h3>Why are you doing this?</h3>
<p style="text-align: justify; ">This action is not just about satisfying curiosity. Sure, lots of us are interested in knowing whether our emails have been caught in the NSA and GCHQ’s dragnet surveillance operations, and hopefully through this platform we’ll be able to find out. But, this campaign is about much more than that. <br /><br />It is about making GCHQ understand the very personal and individual implications of mass surveillance. And it is about ending the feeling of powerlessness that many of us have felt since discovering, thanks to Edward Snowden, the reality of the almost total surveillance that we’re under. <br /><br />We have never done a public campaign like this, but we felt that this ruling was too important to pass up. People have a right to know if they were illegally spied on, and if so, request that their records are deleted. We want to help them assert those rights, and we think you can help too.</p>
<h3>Why should my organisation join?</h3>
<p style="text-align: justify; ">We don't get many victories in this space, but we have a rare opportunity to give people the chance to do something! Not just sign a petition, but directly hold intelligence agencies accountable and challenge proven illegal government activity. <br /><br />Numbers are important too, not just important to brag about. The greater number of people who sign up actually increases our likelihood of success. That's because when we submit people's details to the IPT, one of the possible outcomes could be that the court tests a sample to see if/where illegality occurred. <br /><br />The more people who sign up, the greater chance there is we can prove that people were illegally spied on. If that's the case, we could request that GCHQ delete ALL the records they obtained from NSA prior to December to 2014.</p>
<p style="text-align: justify; ">To do that, we need as many people to join. We are not merely interested in building a list, this is not a stunt, and we have no interest in poaching your members. It's simple – more people means greater chance of success.<br /><br />Also, this is going to be a long fight on our front. We are going to be dealing with this campaign for the next few months if not few years. As each turn comes along the way, we are going to need your help to keep pressure up and keep people involved. Nothing good comes easy!</p>
<h3>Is it only for British citizens?</h3>
<p style="text-align: justify; ">No. This literally affects everyone who has ever used a phone or computer prior to December 2014, which is pretty much every single person.<br /><br />So, anyone around the world is eligible to join this petition! No matter where you are, you’re entitled under British law to bring a claim in the courts to find out whether you were illegally spied on. Given the degree of intelligence collection by the NSA and its close relationship with the British intelligence services, it’s entirely possible that your communications have been scooped up and unlawful handed over to the UK. <br /><br />So, what can you do?</p>
<h2>Four actions you can do:</h2>
<ul>
<li style="text-align: justify; "><b>Declare your organisation’s support for the campaign!</b> Email <a href="mailto:mike@privacyinternational.org">mike@privacyinternational.org</a> and we'll add your name to the partner section on the petition page.</li>
<li><b>Tweet the link for the petition to your followers</b>: <a href="http://www.privacyinternational.org/illegalspying">www.privacyinternational.org/illegalspying</a> using the hashtag #DidGCHQSpyOnYou</li>
<li style="text-align: justify; "><b>Email your supporters and members and encourage them to join the campaign</b> - if you need further information you can point them to the FAQ on our website or included in this pack: https://www.privacyinternational.org/?q=node/495</li>
<li style="text-align: justify; "><b>Tweet at or contact notable people in your city or country</b> - we’ve been tweeting Members of Parliament, influential journalists, movie stars, whomever!</li>
</ul>
<h2>FAQ on action</h2>
<p>URL: <a class="external-link" href="https://privacyinternational.org/?q=node/495">https://privacyinternational.org/?q=node/495</a></p>
<h3>Who is able to join?</h3>
<p style="text-align: justify; ">EVERYONE! The implications of our recent legal victory against GCHQ in the Investigatory Powers Tribunal means that all intelligence sharing from the NSA to GCHQ was unlawful. Because people located all over the world are affected by illegal intelligence sharing, not only British citizens, but anyone in the world, can ask if their records collected by the NSA were unlawfully shared with GCHQ.</p>
<h3>Why are we doing this?</h3>
<p style="text-align: justify; ">Intelligence agencies' culture of secrecy have allowed them, for too long, to avoid public accountability. Whether it’s secret hearings in closed court rooms or committees equipped only with rubber stamps, intelligence agencies like GCHQ have never been forced to answer to the public for their actions.</p>
<p style="text-align: justify; ">We think you have a right to know whether you have been caught up in GCHQ and NSA's illegal intelligence sharing. If so, you have a right to demand that data be deleted. Privacy International wants to help you assert those rights.</p>
<h3>Wait what? Why do I have to give GCHQ my data?</h3>
<p style="text-align: justify; ">We know it sounds absurd but it's the only way! The Tribunal can't act by itself, so it needs people to come forward to file complaints. We've kept information needed to a minimum, but the IPT requires more than your name to attempt to find your communications in GCHQ’s massive databases. If they do locate your data, you can ask them to delete it. Hopefully, if enough people sign up, we can show just how widespread Five Eyes mass surveillance and intelligence sharing is, and get the reform we all need!</p>
<h3>Will this tell me if GCHQ are currently spying on me?</h3>
<p style="text-align: justify; ">No. This campaign will only tell you if NSA shared your communications with GCHQ before December 2014. It won't tell you if GCHQ shared communications with NSA. It also won't tell you if GCHQ intercepted your communications by themselves. Should Privacy International be successful in our appeal to the European Court of Human Rights maybe this will change, but for now, this is limited to just whether NSA shared your communications with GCHQ before December 2014.</p>
<h3>What will happen once I have entered my details?</h3>
<p style="text-align: justify; ">After you hit submit, you'll receive an email asking you to confirm your participation. Make sure you click that link, otherwise your submission won't go through. While these few details are all we need from you now, we may need more information from you in the future. By entering your details, you authorise Privacy International and their legal team to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your rights under Article 8 and Article 10 of the UK Human Rights Act have been violated and to request your records be deleted.</p>
<h3>How will I know my communications were illegal shared with GCHQ?</h3>
<p style="text-align: justify; ">If the IPT find that your communications were illegally shared with GCHQ, they have to tell you. The Investigatory Powers Tribunal has a statutory obligation to investigate any complaint made against GCHQ. When they receive a complaint, if they think they have all the information required to make a determination, then they will do so, and inform you of the outcome. If not, the IPT can demand more information, a meeting or inspection of files held by GCHQ.</p>
<h3>Do I get anything if I have been spied on?</h3>
<p style="text-align: justify; ">Yes. If the IPT is able to establish that you have been illegally spied on, they have to tell you. You will receive a declaration that your privacy rights have been violated and you can request that any information unlawfully obtained be deleted.</p>
<h3>WiIl GCHQ hold onto my details when they are handed over to them?</h3>
<p style="text-align: justify; ">No. GCHQ are only allowed to keep your details for the purposes of establishing whether or not they spied on you illegally and for the duration of the investigation by the IPT.</p>
<h3>How soon will I receive an answer to whether I was caught up in NSA and GCHQ's illegal spying?</h3>
<p>It might be a while. This is the first time that such a large group action has been mounted against GCHQ so count on it being many months, and likely years before this action is completed. Nothing worth doing is easy!</p>
<h3>Is this for all of NSA and GCHQ's programmes?</h3>
<p style="text-align: justify; ">This legal campaign deals with information collected by the NSA and shared with GCHQ before December 2014, specifically PRISM and UPSTREAM. It doesn't deal with GCHQ initiated interception, but if we're successful with our appeal with the European Court of Human Rights, maybe that could change!</p>
<h3>Is my email address and phone number enough for GCHQ to find all records?</h3>
<p style="text-align: justify; ">No. Unfortunately, we imagine many of GCHQ's databases are unindexed or indexed by a "selector" which could be an IP address, a cookie, a hardware address or almost anything else. For people who want the most comprehensive records searched, much more personal information would have to be provided. Currently we are asking for only your email address and phone number to enable the greatest number of people access to this campaign. If you want to provide more detailed information and a range of selectors to GCHQ, consider submitting your own individual complaint here. We hope to have a detailed guide on how to do so in the next few days.</p>
<h3>What are Privacy International going to do with this data?</h3>
<p style="text-align: justify; ">By entering your details you are authorising Privacy International to pass your information to GCHQ and the Investigatory Powers Tribunal in order to seek a declaration that your privacy rights have been violated. We will provide you with updates on the case and won't use the information for any other purpose. We will only share it with our lawyers, GCHQ and the Investigatory Powers Tribunal.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying'>https://cis-india.org/internet-governance/blog/cis-joins-worldwide-campaign-to-discover-depth-of-gchq-illegal-spying</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-03-01T06:13:03ZBlog EntrySecurity and Surveillance – Optimizing Security while Safeguarding Human Rights
https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights
<b>The Centre for Internet and Society (CIS) on December 19, 2014 held a talk on “Security and Surveillance – Optimizing Security while Safeguarding Human Rights.</b>
<p style="text-align: justify; ">The talk focused on a project that is being undertaken by CIS in collaboration with Privacy International, UK. Initiated in 2014, the project seeks to study the regulatory side of surveillance and related technologies in the Indian context. The main objective of the project is to initiate dialogue on surveillance and security in India, government regulation, and the processes that go into the same. The talk saw enthusiastic participation from civil society members, policy advisors on technology, and engineering students.</p>
<p style="text-align: justify; ">During the event it was highlighted that requirements of judicial authorization, transparency and proportionality are currently lacking in the legal regime for surveillance in India and at the same time India has a strong system of ‘security’ that service providers must adhere to – which works towards enhancing cyber security in the country.</p>
<p style="text-align: justify; ">Discussions played out with regard to how most of the nine intelligence agencies that are authorized to intercept information in India are outside the ambit of parliamentary oversight, the RTI and the CAG, making them virtually unaccountable to the Indian public.</p>
<p style="text-align: justify; ">Another conversation focused on the sharing of information between various intelligence agencies within the country, and the fact that this area is virtually unregulated. The discussion then steered to cyber-security in general, emerging technologies used by the Government of India for surveillance, cooperative agreements for surveillance technologies that India has with other countries, the export and import of such technologies from India, and most importantly, the role of service providers in the surveillance debate, and the regulations they are subject to.</p>
<p style="text-align: justify; ">A common theme seemed to be emerging from the discussion was that the agencies responsible for regulating information interception and surveillance in the country are shockingly unaccountable to the Indian public. As an active civil society member noted today - <i>“There is no oversight/monitoring of the agencies themselves, so there’s no way anyone would even know of how many instances of surveillance or unauthorized interception have actually occurred.”</i></p>
<p style="text-align: justify; ">The talk successfully concluded with inputs from members of the audience, and a broad consensus on the fact that the Government of India would have to adhere to stronger regulatory standards, harmonized surveillance standards, stronger export and import certification standards, etc., in order to make surveillance in India more transparent and accountable. As was stated at the talk, <i>“We don’t have a problem with the concept of surveillance per se, - it has more to do with its problematic implementation”.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights'>https://cis-india.org/internet-governance/blog/security-and-surveillance-optimizing-security-while-safeguarding-human-rights</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-02-13T02:41:46ZBlog EntrySecurity, Governments, and Data: Technology and Policy
https://cis-india.org/internet-governance/events/security-governments-data-technology-policy
<b>The Centre for Internet & Society and the Observer Research Foundation invite you to a one day conference on January 8, 2015 in New Delhi. </b>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; "></h3>
<h3 style="text-align: justify; ">About the Conference</h3>
<p style="text-align: justify; ">The conference will focus on the technologies, policies, and practices around cyber security and surveillance. The conference will reach out to a number of key stakeholders including civil society, industry, government, and academia and explore the present scenario in India to reflect on ways forward.</p>
<h3 align="left" class="western"><strong>Conference </strong><strong>Context</strong></h3>
<p align="justify"><span>Ensuring the security of the India’s cyber space is a complex, challenging, and ever changing responsibility that the government is tasked with. Doing so effectively requires a number of factors to come together in a harmonized strategy including: laws & policies, technical capabilities, markets, and a skilled workforce. It also requires collaboration on multiple levels including with foreign governments, domestic and foreign industry, and law enforcement. The first of these is particularly important given the ability of attackers to penetrate across borders and the global nature of data. Any strategy developed by India must be proactive and reactive – evolving defences to prevent a potential threat and applying tactics to respond to a real time threat. To do so, the government of India must legally have the powers to take action and must have the technical capability to do so. Yet, many of these powers and technical capabilities require a degree of intrusion into the lives of citizens and residents of India through means such as surveillance. Thus, such measures must be considered in light of principles of proportionality and necessity, and legal safeguards are needed to protect against the violation of privacy. Furthermore, a principle of optimization must be considered i.e, how much surveillance achieves the most amount of security and how can this security be achieved with the optimal mix of technology, policy and enforcement.</span></p>
<h3 align="left" class="western">Panel Descriptions</h3>
<p align="left"> </p>
<p align="left"><strong>Challenges & Present Scenario</strong></p>
<p align="left"><strong> </strong><span>Protecting and enhancing the cyber security of India is a complex and dynamic responsibility. The challenge of securing cyber space is magnified by the demarcated nature of the internet, the multiplicity of vulnerabilities that can be exploited at the national level, the magnitude of infrastructure damage possible from a cyber attack, and the complexity of application of a jurisdiction’s law to a space that is technologically borderless. A comprehensive ‘cyber security’ ecosystem is required to address such challenges – one that involves technology, skills, and capabilities – including surveillance capabilities. The Government of India has taken numerous steps to address and resolve such challenges. In July 2013, the National Cyber Security Policy was published for the purpose of creating an enabling framework for the protection of India’s cyber security. In February 2014, the 52</span><sup>nd</sup><span> Standing Committee on Information Technology issued a report assessing the implementation of this policy – in which they found that a number of areas needed strengthening. The Government of India has also proposed the establishment of a number of centres focused on cyber security – such as the National Cyber Coordination Center and the National Critical Information Infrastructure Protection Centre. CERT-IN, under the Department of Electronics and Information Technology is presently the body responsible for overseeing and enforcing cyber security in India, while other bodies such as the Resource Centre for Cyber Forensic and TERM cells under the Department of Telecommunications play critical roles in overseeing and undertaking capabilities related to cyber security.</span></p>
<p align="justify"><strong>Law & Policy</strong></p>
<p align="justify"><span>India has five statutes regulating the collection and use of data for surveillance purposes. These laws define circumstances on which the government is justified in accessing and collecting real time and stored data as well as procedural safeguards they must adhere to when doing so. The Department of Telecommunications has also issued the Unified Access License which, among other things, mandates service providers to provide technical support to enable such collection. The Indian judicial system has also provided a number of Rulings that set standards for the access, collection, and use of data as well as defining limitations and safeguards that must be respected in doing so. The draft Privacy Bill 2011, released by the Department of Personnel and Training, also contained provisions addressing surveillance in the context of interception and the use of electronic video recording devices. In the Report of the Group of Experts on Privacy, the AP Shah Committee found that the legal regime for surveillance in India was not harmonized and lacked safeguards. Furthermore, in the era where the direct collection of large volumes of data is easily possible, there is a growing need to re-visit questions about the legitimate and proportionate collection and use (particularly as evidence) of such data. Questions are also arising about the applicability of standards and safeguards to the state. At a global level, catalyzed by the leaks by Edward Snowden, there has been a strong push for governments to review and structure their surveillance regimes to ensure that they are in line with international human rights standards.</span></p>
<p align="justify"><strong>Architecture & Technology</strong></p>
<p align="justify"><span>India is in the process of architecting a number of initiatives that seek to enable the collection and sharing of intelligence such as the CMS, NATGRID, and NETRA. At a regional level, the Ministry of Home Affairs is in the process of implementing ‘Mega Policing Cities’ which include the instalment of CCTV’s and centralized access to crime related information. Globally, law enforcement and governments are beginning to take advantage of the possibilities created by ‘Big Data’ and ‘open source’ policing. The architecture and technology behind any surveillance and cyber security initiative are key to its success. Intelligently and appropriately designed projects and technology can also minimize the possibility of intrusions into the private lives of citizens. Strong access controls, decentralized architecture, and targeted access are all principles that can be incorporated into the architecture and technology behind a project or initiative. At the same time, the technology or process around a project can serve as the ‘weakest link’ – as it is vulnerable to attacks and tampering. Such possibilities raise concerns about the use of foreign technology and dependencies on foreign governments and companies.</span></p>
<p align="justify"><strong>International and Domestic Markets</strong></p>
<p align="justify"><strong> </strong><span>Globally, the security market is growing – with companies offering a range of services and products that facilitate surveillance and can be used towards enhancing cyber security. In India, the security market is also growing with studies predicting that it will reach $1.06 billion by 2015. Recognizing the potential threat posed by imported security and telecom equipment, India also develops its own technologies through the Centre for Development of Telematics –attached to the Department of Telecommunications, and the Centre for Development of Advanced Computing – attached to the Department of Electronics and Information Technology. At times India has also imposed bans on the import of technologies believed to be compromised. Towards this end, the Government of India has a number of bodies responsible for licensing, auditing, and certifying the use of security and telecommunication equipment. Though India has recognized the security vulnerabilities posed by these technologies, as of yet it has not formally recognized the human rights violations that are made possible. Indeed, though India has submitted a request to be a signing member of the </span><span>Wassenaar agreement, they have yet to be accepted.</span></p>
<h3 style="text-align: justify; ">Agenda</h3>
<table class="plain">
<tbody>
<tr>
<td>11.00</td>
<td>Registration & Tea</td>
</tr>
<tr>
<td>11.30</td>
<td>Key Note Speech</td>
</tr>
<tr>
<td>12.00</td>
<td>Challenges & Present Scenario</td>
</tr>
<tr>
<td>13.00</td>
<td>Law & Policy</td>
</tr>
<tr>
<td>14.00</td>
<td>Lunch</td>
</tr>
<tr>
<td>15.00</td>
<td>Architecture & Technology</td>
</tr>
<tr>
<td>16.00</td>
<td>International & Domestic Markets</td>
</tr>
<tr>
<td>17.00</td>
<td>Tea</td>
</tr>
<tr>
<td>17.30</td>
<td>Conclusion & Closing Remarks</td>
</tr>
</tbody>
</table>
<h3></h3>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/security-governments-data-technology-policy'>https://cis-india.org/internet-governance/events/security-governments-data-technology-policy</a>
</p>
No publisherelonnaiEventInternet Governance2014-12-24T08:06:59ZEventA Study of the Privacy Policies of Indian Service Providers and the 43A Rules
https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules
<b></b>
<p>Written by Prachi Arya and Kartik Chawla<br />Edited by: Vipul Kharbanda, Elonnai Hickok, Anandini Rathore, and Mukta Batra</p>
<hr />
<p><a href="https://cis-india.org/internet-governance/blog/study-of-privacy-policies-indian-service-providers.pdf" class="internal-link">Click to download the PDF</a></p>
<table class="plain">
<tbody>
<tr>
<th>Contents<br /></th>
</tr>
<tr>
<td><a href="#_Toc406957920">Executive Summary</a></td>
</tr>
<tr>
<td><a href="#_Toc406957921">Introduction</a></td>
</tr>
<tr>
<td><a href="#_Toc406957922">Objective, Methodology, and Scope of the Study</a></td>
</tr>
<tr>
<td><a href="#_Toc406957923">Objective of Research</a></td>
</tr>
<tr>
<td><a href="#_Toc406957924">Methodology</a></td>
</tr>
<tr>
<td><a href="#_Toc406957925">Scope</a></td>
</tr>
<tr>
<td><a href="#_Toc406957926">Criteria for selection of companies being studied</a></td>
</tr>
<tr>
<td><a href="#_Toc406957927">Overview of Company Privacy Policy and Survey Results</a></td>
</tr>
<tr>
<td><a href="#_Toc406957928">Vodafone</a></td>
</tr>
<tr>
<td><a href="#_Toc406957929">Tata Teleservices Limited</a></td>
</tr>
<tr>
<td><a href="#_Toc406957930">Airtel</a></td>
</tr>
<tr>
<td><a href="#_Toc406957931">Aircel</a></td>
</tr>
<tr>
<td><a href="#_Toc406957932">Atria Convergence Technologies</a></td>
</tr>
<tr>
<td><a href="#_Toc406957933">Observations</a></td>
</tr>
<tr>
<td><a href="#_Toc406957934">International Best Practices</a></td>
</tr>
<tr>
<td><a href="#_Toc406957935">Australia</a></td>
</tr>
<tr>
<td><a href="#_Toc406957936">European Union</a></td>
</tr>
<tr>
<td><a href="#_Toc406957937">Recommendations</a></td>
</tr>
<tr>
<td><a href="#_Toc406957938">Annexure 1</a></td>
</tr>
<tr>
<td><a href="#_Toc406957939">Annexure 2</a></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.gjdgxs"></a></p>
<hr />
<h1 style="text-align: justify; "><a name="_Toc406957920">Executive Summary</a> <a name="h.30j0zll"></a> <a name="h.1fob9te"></a></h1>
<p style="text-align: justify; "><br />India has one of the largest telecom subscriber base in the world, currently estimated at 898 Million users.<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a> With over 164.8 Million people accessing the internet <a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> in the subcontinent as well, technology has concurrently improved to facilitate such access on mobile devices. In fact, the high penetration rate of the internet in the market can be largely attributed to mobile phones, via which over 80% of the Indian population access the medium.<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a></p>
<p style="text-align: justify; ">While this is a positive change, concerns now loom over the expansive access that service providers have to the information of their subscribers. For the subscriber, a company's commitment to protect user information is most clearly defined via a privacy policy. Data protection in India is broadly governed by Rules notified under Section 43A of the Information Technology Act 2000.<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a> Amongst other things, the Rules define requirements and safeguards that every Body Corporate is legally required to incorporate into a privacy policy.</p>
<p style="text-align: justify; ">The objective of this research is to understand what standards of protection service providers in India are committing to via organizational privacy policies. Furthermore, the research seeks to understand if the standards committed to via organizational privacy policies align with the safeguards mandated in the 43A Rules. Towards this, the research reviews the publicly available privacy policies from seven different service providers - Airtel, Aircel, Vodafone, MTNL, BSNL, ACT, and Tata Teleservices.</p>
<p style="text-align: justify; ">The research finds that only Airtel, Vodafone, and Tata Teleservices fully incorporate the safeguards defined in the 43A Rules. Aircel, and ACT incorporate a number of such safeguards though not all. On the other hand BSNL minimally incorporates the safeguards, while MTNL does not provide a privacy policy that is publicly available.</p>
<h1 style="text-align: justify; "></h1>
<h1 style="text-align: justify; "><a name="_Toc406957921"></a> <a name="h.3znysh7"></a> Introduction</h1>
<p style="text-align: justify; ">The Indian Telecom Services Performance Indicators report by the Telecom Regulatory Authority of India (TRAI) <a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> pegs the total number of internet subscribers in India at 164.81 million and the total number of telecom subscribers at 898.02 million, as of March 2013. As mobile phones are adopted more widely, by both rural and urban populations, there is an amalgamation of telecommunications and internet users. Thus, in India, seven out of eight internet users gain access through mobiles phones. <a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<p style="text-align: justify; ">Though this rapid evolution of technology allows greater ease of access to digital communication, it also has led to an increase in the amount of personal information that is shared on the internet. Subsequently, a number of privacy concerns have been raised with respect to how service providers handle and protect and customer data as companies rely on this data not only to provide products and services, but also as a profitable commodity in and of itself. Individuals are thus forced to confront the possible violation of their personal information, which is collected as a <i>quid pro quo </i>by service providers for access to their services and products. In this context, protection of personal information, or data protection, is a core principle of the right to privacy.</p>
<p style="text-align: justify; ">In India, the right to privacy has been developed in a piecemeal manner through judicial intervention, and is recognized, to a limited extent, as falling under the larger ambit of the fundamental rights enshrined under Part III of the Constitution of India, specifically those under Article 21. <a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a> In contrast, historically in India there has been limited legislative interest expressed by the Government and the citizens towards establishing a statutory and comprehensive privacy regime. Following this trend, the Information Technology Act, 2000 (IT Act), as amended in 2008, provided for a limited data protection regime.</p>
<p style="text-align: justify; ">However, this changed in 2010 when, concerned about India's robust growth in the fields of IT industry and outsourcing business, an 'adequacy assessment' was commissioned by the European Union (EU), at the behest of India, which found that India did not have adequate personal data protection regime. <a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a> The main Indian legislation on the personal data security is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), enacted under Section 43A of the IT Act, which<b> </b>extends the civil remedy by way of compensation in case wrongful loss or gain under Section 43A to cases where such loss or gain results from inadequate security practices and procedures while dealing with sensitive personal data or information. In 2012, the Justice AP Shah group of Experts was set up to review and comment on Privacy,<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a> for the purpose of making recommendations which the government may consider while formulating the proposed framework for the Privacy Act.<a name="h.2et92p0"></a></p>
<h1 style="text-align: justify; "><a name="_Toc406957922">Objective, Methodology, and Scope of the Study</a></h1>
<p style="text-align: justify; "> </p>
<h2 style="text-align: justify; "><a name="_Toc406957923"></a> <a name="h.tyjcwt"></a> Objective of Research</h2>
<p style="text-align: justify; ">This research aims to analyse the Privacy Policies of the selected Telecommunications (TSP) and Internet Service Providers (ISP) (collectively referred to as 'service providers' for the purposes of this research) in the context of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ('Rules') in order to gain perspective on the extent to which the privacy policies of different types of service providers in India, align with the Rules. Lastly, this research seeks to provide broad recommendations about changes that could be incorporated to harmonize the respective policies and to bring them in line with the aforementioned Rules.</p>
<h2 style="text-align: justify; "><a name="_Toc406957924"></a> <a name="h.3dy6vkm"></a> Methodology</h2>
<p style="text-align: justify; ">The Privacy Policies<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a> of seven identified service providers are sought to be compared vis-a-vis - the requirements under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, (Rules) as notified by way of section 87(2) (ob) read with section 43A of the Information Technology Act, 2000.</p>
<p style="text-align: justify; ">Specifically, the Privacy Policies of each of the selected companies are compared against a template that is based on of the essential principles of the Rules respectively, and consists of a series of yes or no questions which are answered on the basis of the respective Privacy Policy. These responses are meant to fulfil the first aim of this research, i.e., provide a perspective into the extent to which these companies follow the Rules and the Principles, and thus the extent to which they respect the privacy of their customers. See Annex 1 for the survey template and the interpretation of the 43A Rules for the development of the survey.</p>
<h2 style="text-align: justify; "><a name="_Toc406957925"></a> <a name="h.1t3h5sf"></a> Scope</h2>
<h3 style="text-align: justify; "><a name="_Toc406957926">Criteria for selection of companies being studied</a></h3>
<p style="text-align: justify; ">For the purpose of the study the companies selected are limited to service providers - including Telecommunication Service Providers and Internet Service Providers. Four broad categories of companies have been selected, namely (i) State Owned Companies, (ii) Multinational Companies, (iii) Joint Venture companies where one party is an Indian company and the other party is a foreign based company and (iv) Domestic companies which have a localized user base. The companies have been selected on this basis of categorization to better understand if the quality of their respective privacy policies is determined by their market reach and user base.</p>
<p style="text-align: justify; ">The privacy policies of the following service providers have been analyzed:</p>
<p style="text-align: justify; ">1. State Owned Companies<a href="#_ftn11" name="_ftnref11"><sup><sup>[11]</sup></sup></a></p>
<p style="text-align: justify; ">a. <b>BSNL<a href="#_ftn12" name="_ftnref12"><sup><b><sup>[12]</sup></b></sup></a>:</b> Bharat Sanchar Nigam Limited, better known as BSNL, is a state-owned telecommunications company that was incorporated by the Indian government in the year 2000, taking over the functions of Central Government departments of Telecommunications Services (DTS) and Telecom Operations (DTO). It provides, <i>inter alia</i>, landline, mobile, and broadband services, and is India's oldest and largest communication services provider. <a href="#_ftn13" name="_ftnref13"><sup><sup>[13]</sup></sup></a> It had a monopoly in India except for Mumbai and New Delhi till 1992.</p>
<p style="text-align: justify; ">b. <b>MTNL<a href="#_ftn14" name="_ftnref14"><sup><b><sup>[14]</sup></b></sup></a>:</b> Mahanagar Telephone Nigam Limited is a state-owned telecommunications company which provides its services in Mumbai and New-Delhi in India, and Mauritius in Africa. It was set up by the Indian Government in the year 1986, and just like BSNL, it had a monopoly in the sector till 1992, when it was opened up to other competitors by the Indian government. It provides, <i>inter alia</i>, Telephone, Mobile, 3G, and Broadband services. <a href="#_ftn15" name="_ftnref15"><sup><sup>[15]</sup></sup></a></p>
<p style="text-align: justify; ">2. Multinational Companies</p>
<p style="text-align: justify; ">a. <b>Bharti Airtel Ltd:<a href="#_ftn16" name="_ftnref16"><sup><b><sup>[16]</sup></b></sup></a></b> Bharti Airtel, more commonly referred to as Airtel, is the largest provider of mobile telephony and the second largest provider of fixed telephony in India. Its origins lie in the Bharti Group founded by Sunil Bharti Mittal in 1983, and the Bharti Telecom Group which was incorporated in 1986. It is a multinational company, providing services in South Asia, Africa, and the Channel Islands. Among other services, it offers fixed line, cellular, and broadband services. <a href="#_ftn17" name="_ftnref17"><sup><sup>[17]</sup></sup></a> The company also owns a submarine cable landing station in Chennai, connecting Chennai and Singapore.<a href="#_ftn18" name="_ftnref18">[18]</a></p>
<p style="text-align: justify; ">b. <b>Vodafone</b><a href="#_ftn19" name="_ftnref19"><sup><sup>[19]</sup></sup></a><b>:</b> Vodafone is a British multinational telecom company. Its origins lie in the establishment of Racal Telecom in 1982 which then became Racal Vodafone in 1984, which was a joint venture between Racal, Vodafone and Hambros Technology Trust. Racal Telecom was demerged from Racal Electronics in 1991, and became the Vodafone group. <a href="#_ftn20" name="_ftnref20"><sup><sup>[20]</sup></sup></a> The Vodafone group started its operations in India with its predecessor Hutchison Telecom, which was a joint venture of Hutchison Whampoa and the Max Group, acquiring the cellular license for Mumbai in 1994<a href="#_ftn21" name="_ftnref21"><sup><sup>[21]</sup></sup></a>, and it bought out Essar's share in the same in the year 2007.<a href="#_ftn22" name="_ftnref22"><sup><sup>[22]</sup></sup></a> As of today, it has the second largest subscriber base in India. After Airtel, <a href="#_ftn23" name="_ftnref23"><sup><sup>[23]</sup></sup></a> Vodafone is the largest provider of telecommunications and mobile internet services in India.<a href="#_ftn24" name="_ftnref24"><sup><sup>[24]</sup></sup></a></p>
<p style="text-align: justify; ">3. Joint Ventures</p>
<p style="text-align: justify; ">a. <b>Tata Teleservices<a href="#_ftn25" name="_ftnref25"><sup><b><sup>[25]</sup></b></sup></a></b> - Incorporated in 1996, Tata Teleservices Limited is an Indian telecommunications and broadband company, the origins of which lie in the Tata Group. A twenty-six percent equity stake was acquired by the Japanese company NTT Docomo in Tata Docomo, a subsidiary of Tata Teleservices, in 2008. <a href="#_ftn26" name="_ftnref26"><sup><sup>[26]</sup></sup></a> Tata Teleservices provides services under three brand names, Tata DoCoMo, Virgin Mobile, and T24 Mobile. As a whole, these brands under the head of Tata Teleservices provide cellular and mobile internet services, with the exception of the Tata Sky teleservices brand, which is a joint venture between and Tata Group and Sky. <sup> <a href="#_ftn27" name="_ftnref27"><sup>[27]</sup></a></sup></p>
<p style="text-align: justify; ">b. <b>Aircel<a href="#_ftn28" name="_ftnref28"><sup><b><sup>[28]</sup></b></sup></a>:</b> Aircel is an Indian mobile headquarter, which was started in Tamil Nadu in the year 1999, and has now expanded to Tamil Nadu, Assam, North-east India and Chennai. It was acquired by Maxis Communication Berhard in the year 2006, and is currently a joint venture with Sindya Securities & Investments Pvt. Ltd. <a href="#_ftn29" name="_ftnref29"><sup><sup>[29]</sup></sup></a> Aircel provides telecommunications and mobile internet services in the aforementioned regions.</p>
<p style="text-align: justify; ">4. India based Companies/Domestic Companies -</p>
<p style="text-align: justify; ">a. <b>Atria Convergence Technologies (ACT)<a href="#_ftn30" name="_ftnref30"><sup><b><sup>[30]</sup></b></sup></a>:</b> Atria Convergence Technologies Pvt. Ltd is an Indian cable television and broadband services company. Funded by the India Value Fund Advisor (IVFA), it is centered in Bangalore, but also provides services in Karnataka, Andhra Pradesh, and Madhya Pradesh.</p>
<h2 style="text-align: justify; "><a name="_Toc406957927">Overview of Company Privacy Policy and Survey Results</a></h2>
<p> </p>
<p style="text-align: justify; ">This section lays out the ways in which each company's privacy policy aligns with the Rules found under section 43A of the Information Technology Act. The section is organized based on company and provides both a table with the survey questions and yes/no/partial ratings and summaries of each policy. The rationale and supporting documentation for each determination can be found in Annexure 2.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p>VODAFONE<a href="#_ftn31" name="_ftnref31"><b>[31]</b></a>: 43A Rules Survey</p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of publicly available documents of the body corporate that collect personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Type</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i> Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Grievance Officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="h.4d34og8"></a> <br clear="all" /> <a name="_Toc406957928"></a> <a name="h.2s8eyo1"></a> Vodafone</h2>
<p style="text-align: justify; ">Vodafone's privacy policy partially incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">Vodafone's privacy policy is accessible online, however, it does not include a copy of its policy with a customer application form. The policy merely lists the type of information collected with no categorization as to SPD/I. The information collected includes contact information, location based information, browsing activity and persistent cookies.</p>
<p style="text-align: justify; ">There is no provision for consent or choice within the policy. Disclosure of personal information to third parties extends to Vodafone's group companies, companies that provide services to Vodafone, credit reference agencies and directories.</p>
<p style="text-align: justify; ">The policy mentions an email address for grievance redressal. In addition, the policy does not lay down any mechanism for correcting personal information that is held with Vodafone.</p>
<p style="text-align: justify; ">Vodafone has a non-exhaustive list of purposes of information usage, though these primarily relate to subscriber services, personnel training, and legal or regulatory requirements.</p>
<p style="text-align: justify; ">With regard to security practices, Vodafone follows the ISO 27001 Certification as per its 2012 Sustainability Report, however this goes unmentioned under its privacy policy</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Tata Teleservices Limited<a href="#_ftn32" name="_ftnref32"><b>[32]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p><b>Clear and Accessible statements of its practices and policies</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Collection of personal or sensitive personal data/information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Type</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Option</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Grievance Officer</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively? <ins cite="mailto:Vipul" datetime="2014-07-01T14:26"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_Toc406957929"></a> <a name="h.17dp8vu"></a> Tata Teleservices Limited</h2>
<p style="text-align: justify; ">Tata Teleservices Limited's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">The Tata Teleservices Limited privacy policy is accessible on their website, though when applying for a subscription, the terms and conditions do not include the privacy policy. The privacy policy is easy to understand although there are several elements of the 2011 Rules that are unaddressed.</p>
<p style="text-align: justify; ">The policy does not make any distinction regarding sensitive personal data or information. As per the policy, TTL collects contact and billing information, information about the equipment the subscriber is using, and information and website usage from its customers.</p>
<p style="text-align: justify; ">The purposes of information collection are broadly for managing customer services and providing customized advertising. Information is also collected for security issues, illegal acts and acts that are violative of TTL's policy. TTL's directory services use a customer's name, address and phone number, however a customer may ask for his/her information to not be published on payment of a fee.</p>
<p style="text-align: justify; ">As per the policy, the disclosure of information to third parties is limited to purposes such as identity verification, bill payments, prevention of identity theft and the performance of TTL's services. Third parties are meant to follow the guidelines of TTL's privacy policy in the protection of its user information. The consent of subscribers is only required when third parties may use personal information for marketing purposes. Consent is precluded under the previous conditions. Disclosure of information to governmental agencies and credit bureaus is for complying with legally authorised requests such as subpoenas, court orders and the enforcement of certain rights or claims. The policy provides for a grievance officer and in addition, TTL, has a separate Appellate Authority to deal with consumer complaints.</p>
<p style="text-align: justify; ">TTL does not follow any particular security standard for the protection of subscriber information, however, it establishes other measures such as limited access to employees, and encryption and other security controls. Although TTL Maharashtra follows the ISO 27001 ISMS Certification, TTL does not seem to follow a security standard for data protection for other regions of its operations.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Airtel<a href="#_ftn33" name="_ftnref33"><b>[33]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the name and contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Purpose of Collection and usage of information</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively? <ins cite="mailto:Vipul" datetime="2014-07-01T14:44"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Disclosure of Information </b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><b>Reasonable Security practices and procedures</b></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.3rdcrjn"></a></p>
<h2 style="text-align: justify; "><a name="_Toc406957930">Airtel</a></h2>
<p style="text-align: justify; ">Airtel's Privacy Policy fully incorporates the safeguards found in the Rules under 43A.</p>
<p style="text-align: justify; ">Airtel's privacy policy incorporates a number of the requirements stipulated in the Rules. Airtel's privacy policy is easily accessible on its website and is clear and easy to understand. The policy defines sensitive personal information, and states that information collected will be used for specified regulatory and business purposes, though it adds that it may be used for other purposes as well. The policy does allow for the withdrawal of consent for providing information, in which case, certain services may be withheld. In addition, Airtel has provided for a grievance officer and abides by the IS/ISO/IEC 27001 security standards. While Airtel allows for the disclosure of information including sensitive personal information to third parties, its policy states that such third parties will follow reasonable security practices in this regard. Concerning disclosure to the government, Airtel shares user information only when it is legally authorised by a government agency. Airtel's policy also provides for an opt-out provision. Such choice remains after subscription of Airtel's services as well. However, withdrawal of consent gives Airtel the right to withdraw its services as well. In terms of disclosure, sharing of user information with third parties is regulated by its Airtel's guidelines on the secrecy of information.</p>
<p style="text-align: justify; ">While Airtel lists the purposes for information collection, it states that such collection may not be limited to these purposes alone. In addition, the policy states that user's personal information will be deleted, although it does not state when this will happen. Thus, the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Aircel<a href="#_ftn34" name="_ftnref34"><b>[34]</b></a>: 43A Rules Survey </b></p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>no</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?<ins cite="mailto:Vipul" datetime="2014-07-01T14:58"> </ins></p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.26in1rg"></a> <b> </b></p>
<h2 style="text-align: justify; "><a name="_Toc406957931">Aircel</a></h2>
<p style="text-align: justify; ">Aircel's Privacy Policy partially complies with the safeguards in the Rules under 43A.</p>
<p style="text-align: justify; ">Aircel's privacy policy is accessible online through its website, though it is not included under the terms and conditions of its customer application. The privacy policy lists the kinds of information that is collected from subscribers, including relevant contact details, call records, browsing history, cookies, web beacons, server log files and location details. The policy does not demarcate information into SPD/I or personal information. Aircel provides subscribers with the right to withdraw consent from the provision of information before and after subscribing, while reserving the right to withdraw its services in this regard. The policy provides the name and contact details of a grievance officer.</p>
<p style="text-align: justify; ">In the privacy policy, the stated purposes for use of subscriber information is limited to customer services, credit requirements, market analyses, legal and regulatory requirements, and directory services by Aircel or an authorised third party.</p>
<p style="text-align: justify; ">In the policy, the provision on disclosure to governmental agencies is vague and does not mention the circumstances under which personal information would be disclosed to law enforcement. The policy provides for correction of information of a subscriber in case of error and deletion after the purpose of the information is served but does not specify when. Although Aircel follows the ISO 27001 standard, it does not mention this under its policy. It does however, provide for accountability in cases of breach or privacy.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p align="center"><b>Atria Convergence Technologies<a href="#_ftn35" name="_ftnref35"><b>[35]</b></a>: 43A Rules Survey</b></p>
</td>
</tr>
<tr>
<td>
<p><b>Criteria</b></p>
</td>
<td>
<p><b>Yes/No</b></p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>information not available</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly specifies the type of SPD/I being collected?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; "><a name="_Toc406957932"></a> <a name="h.lnxbz9"></a> Atria Convergence Technologies</h2>
<p style="text-align: justify; ">Though Atria Convergence Technologies provides a privacy policy on its website, it does not broadly incorporate the safeguards in the Rules under 43A. ACT's privacy policy is easily accessible online and is easy to understand as well. The information collected from subscribers is limited to contact details along with information on whether a subscriber has transacted with any of ACT's business partners. Though the privacy policies refers to disclosing information for the purpose of assisting with investigating, preventing, or take action on illegal behaviour - there is no specific provision concerning disclosure to government and regulatory agencies. The policy does not provide information on any security practices and procedures followed. Provisions for withdrawal of consent or correction of personal information are absent from the policy as well.</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<td colspan="2">
<p>BSNL: 43A Rules Survey</p>
</td>
</tr>
<tr>
<td>
<p>Criteria</p>
</td>
<td>
<p>Yes/No</p>
</td>
</tr>
<tr>
<td>
<p>Clear and Accessible statements of its practices and policies</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is accessible through the main website of the body corporate?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Collection of personal or sensitive personal data/information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p><i>Type</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy explicitly states that it is collecting SPD/I?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Option</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p>Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
<tr>
<td>
<p><i>Grievance Officer</i></p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy mentions the existence of a grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides the contact information of the grievance officer?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Purpose of Collection and usage of information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
</td>
<td>
<p>Partially</p>
</td>
</tr>
<tr>
<td>
<p>Disclosure of Information</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether contractual provisions exist in the privacy policy or ToS addressing the disclosure of personal information with third parties</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Whether personal information is disclosed to government agencies/LEA/IA only when legally mandated?</p>
</td>
<td>
<p>Yes</p>
</td>
</tr>
<tr>
<td>
<p>Reasonable Security practices and procedures</p>
</td>
<td></td>
</tr>
<tr>
<td>
<p>Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure personal information?</p>
</td>
<td>
<p>No</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="h.35nkun2"></a></p>
<p style="text-align: justify; "><b>BSNL</b></p>
<p style="text-align: justify; ">BSNL's Privacy Policy broadly does not incorporate the safeguards in the Rules under 43A .</p>
<p style="text-align: justify; ">BSNL's privacy is accessible online, though not on the website, and is easy to understand. The policy does not however, categorize SPD/I but defines personal information vaguely as information that helps BSNL identify its customers. As per its policy, subscriber information is used for subscriber services such as identification, assistance etc., credit-worthiness and marketing communications. The policy does not contain any provision on consent and with respect to marketing communications and a customer implicitly agrees to third party usage of personal information. Third parties under the policy are those that provide services on behalf of BSNL, which extend mailing and billing services and market research services.</p>
<p style="text-align: justify; ">As per its policy, BSNL may disclose personal information on the basis of legal requirements to credit organisations, BSNL's consultants, government agencies.</p>
<p style="text-align: justify; ">With respect to access and correction, BSNL reserves the right to modify its privacy policy without notice to its customers. What is presumably a grievance officer email address has been provided for queries and corrections on personal information, however no further contact details are given.</p>
<p style="text-align: justify; "><a name="h.1ksv4uv"></a> <b>MTNL</b></p>
<p style="text-align: justify; "><b>MTNL does not provide a publicly available Privacy Policy. </b></p>
<h1 style="text-align: justify; "><a name="_Toc406957933"></a> <a name="h.44sinio"></a> Observations</h1>
<p style="text-align: justify; ">This section highlights key trends observed across the privacy policies studied in this research by contrasting the applicable Rule against the applicable provision in the policy.</p>
<p style="text-align: justify; "><b>1. </b> <b>Access and Location of Privacy Policy</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> According to Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, a Body Corporate must provide a privacy policy on their website. Under Rule 5, all bodies corporate have to convey the purpose(s) for which SPD/I are collected prior to the collection and they can, under certain circumstances, move forward with the collection regardless of consent. While this does not entirely violate the Notice Principle of the National Privacy Principles, it does not meet the rather higher standards of the Principle, which recommends that notice must be provided prior to any form of collection of personal information. In addition, the Rules do not contain provisions regulating bodies corporate, regarding changes to their privacy policies.<a href="#_ftn36" name="_ftnref36"><sup><sup>[36]</sup></sup></a></p>
<p style="text-align: justify; "><b>Observation</b> : In the survey, it was found that the location and accessibility of a service provider's privacy policy varied. For example:</p>
<p style="text-align: justify; "><b>a. </b> <b>Privacy Policy on main website:</b> Airtel, Aircel, and Vodafone provide a privacy policy that is accessible through the main website of each respective company.</p>
<p style="text-align: justify; "><b>b. </b> <b>Privacy Policy not on website</b> : MTNL does not provide a Privacy Policy on the main website of each of its respective branches across India.</p>
<p style="text-align: justify; "><b>c. </b> <b>Privacy Policy not accessible through main website</b> : TTL and BSNL have a Privacy Policy, but it is not accessible through the main website. For example, The Privacy Policy found on TTL's website is only accessible through the "terms and services" link on the homepage. Similarly, the BSNL privacy policy can only be found through its portal website. <a href="#_ftn37" name="_ftnref37"><sup><sup>[37]</sup></sup></a></p>
<p style="text-align: justify; "><b>d. </b> <b>Privacy Policy not included in Customer Application form</b> : Almost all of the Service Providers do not include/refer to their Privacy Policy in the Customer Application Form, and some do not display their privacy policy or a link to it on its website's homepage. For example, Airtel is the only Service Provider that refers to their privacy policy in the Customer Application Form for an Airtel service.</p>
<p style="text-align: justify; "><b>e. </b> <b>Collection of personal information before Privacy Policy: </b> In some cases it appears that service providers collect private information before the privacy policy is made accessible to the user. For example, before the homepage of ACT's website is shown, a smaller window appears with a form asking for personal information such as name, mobile and email Id. Although the submission of this information is not mandatory, there is no link provided to the privacy policy at this level of collection of information.</p>
<p style="text-align: justify; "><b>2. </b> <b>Sharing of information with Government</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> Rule 6, specifically the proviso to Rule 6, and the Disclosure of Information Principle respectively govern the disclosure of information to third parties. Yet, while the proviso to Rule 6 directly concerns the power of the government to access information with or without consent for investigative purposes, the Disclosure of Information Principle only says that disclosure for law enforcement purposes should be in accordance with the laws currently in force.</p>
<p style="text-align: justify; "><b>Observation</b> : Though all service providers did include statements addressing the potential of sharing information with law enforcement or governmental agencies, how this was communicated varied. For example:</p>
<p style="text-align: justify; "><b>a.) </b> <b>Listing circumstances for disclosure to law enforcement</b> : The Privacy Policy of ACT states <i> "We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person". <a href="#_ftn38" name="_ftnref38"><sup><b><sup>[38]</sup></b></sup></a> </i> The Privacy Policy of Airtel on the other hand states <i> "Government Agencies: We may also share your personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences." <a href="#_ftn39" name="_ftnref39"><sup><b><sup>[39]</sup></b></sup></a> </i> Lastly, TTL states<i> </i>" <i> To investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person" or "To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay". <a href="#_ftn40" name="_ftnref40"><sup><b><sup>[40]</sup></b></sup></a> </i></p>
<p style="text-align: justify; "><b>b.) </b> <b>Listing authorities to whom information will be disclosed to</b> : The privacy policy of<i> </i>Aircel states <i> "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to: …8. Persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services".<a href="#_ftn41" name="_ftnref41"><sup><b><sup>[41]</sup></b></sup></a> </i> Similarly<i>, </i>Vodafone<i> </i>states <i> "There may be times when we need to disclose your personal information to third parties. If we do this, we will only disclose your information to persons to whom we may be required to pass your information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services and any person or organisation as authorised by laws and regulations applicable in India." <a href="#_ftn42" name="_ftnref42"><sup><b><sup>[42]</sup></b></sup></a> </i> While BSNL states <i> "Apart from the above, BSNL may divulge your personal information to: Government bodies, Regulatory Authorities, and other organizations in accordance with the law or as authorised by law…".<a href="#_ftn43" name="_ftnref43"><sup><b><sup>[43]</sup></b></sup></a> </i></p>
<p style="text-align: justify; "><b>3. </b> <b>Readability of Privacy Policies</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : In subsection (i) of Rule 4 body corporate must provide a privacy policy that is "<i>clear and accessible</i>". Similarly, the Notice Principle requires that the data controller give a " <i>simple-to-understand notice of its information practices to all individuals, in clear and concise language</i>".</p>
<p style="text-align: justify; "><b>Observation</b> : It was found that, particularly with respect to clauses on the collection and disclosure of information, most Privacy Policies use:</p>
<p style="text-align: justify; ">a. <b>Vague terminology: </b>For example, in the Privacy Policy of ACT, it states as a purpose of collection <i>"conduct research" </i>while for the collection and disclosure of information it states <i> ,"The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you." <a href="#_ftn44" name="_ftnref44"><sup><b><sup>[44]</sup></b></sup></a> </i> Similarly, with regards to the collection of information, Vodafone's Privacy Policy states that it may collect <i> "any other information collected in relation to your use of our products and services". <a href="#_ftn45" name="_ftnref45"><sup><b><sup>[45]</sup></b></sup></a> </i></p>
<p style="text-align: justify; ">b. <b>Undefined terminology:</b> On disclosure of information TTL's privacy policy states disclosure is <i> "Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI)" <a href="#_ftn46" name="_ftnref46"><sup><b><sup>[46]</sup></b></sup></a> </i> Confusingly, although TTL defines CPNI it does not mention what legal restriction it is referring to, and CPNI is in fact an American term and similar legal restrictions could not be found in India.</p>
<p style="text-align: justify; "><b>4. </b> <b>Information about security practices</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> The parameter for 'reasonable security practices and procedures' has been detailed comprehensively under Rule 8 of the Rules. The same is also covered in detail under the Openness Principle read with Security Principle. While the Security Principle recommends that the data controller protect the information they collect through reasonable security safeguards, the Openness Principle recommends that information regarding these should be made available to all individuals in clear and plain language.</p>
<p style="text-align: justify; "><b>Observation</b> : With the exception of Airtel, no service provider has comprehensively followed the legal requirements for the purpose of their privacy policy. Thus, while most service providers do mention security practices, many do not provide specific or comprehensive details about their security practices and procedures for data protection, and instead assure users that 'reasonable security' procedures are in place. For example:</p>
<p style="text-align: justify; ">a. <b>Comprehensive information about security practices in privacy policy</b>: Airtel and Aircel have provided comprehensive information about their security practices in the companies Privacy Policy.</p>
<p style="text-align: justify; ">b. <b>Information about security practice, but not in privacy policy</b>: Vodafone has specified its security standards only in its latest 'Sustainability Report' available on its website. In the case of TTL, the specific security standard it follows is available only for its Maharashtra branch (TTLM) through its annual report.</p>
<p style="text-align: justify; ">c. <b>Broad reference to security practices</b>: Many service providers broadly reference security practices, but do not provide specifics. For example, TTL states only <i>"we have implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL</i>." <a href="#_ftn47" name="_ftnref47"><sup><sup>[47]</sup></sup></a></p>
<p style="text-align: justify; ">d. <b>No information about security practices: </b>Some service providers do not mention any details about their security practices and procedures, or whether they even follow any security practices and procedures or not. An example of this would be ACT, which does not mention any security practices or procedures in its Policy.</p>
<p style="text-align: justify; "><b>5. </b> <b>Grievance mechanisms</b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> Rule 5 of the Rules mandates that applicable bodies corporate must designate a 'Grievance Officer' for redressing grievances of users regarding processing of their personal information, and the same is also recommended by the Ninth Principle, i.e., Accountability.</p>
<p style="text-align: justify; "><b>Observation</b> : It was found that adherence with this requirement varied depending on service provider. For example:</p>
<p style="text-align: justify; ">a. <b>No Grievance Officer:</b> ACT and MTNL do not provide details of a grievance officer on their websites.</p>
<p style="text-align: justify; ">b. <b>Grievance Officer, but no process details</b>: Airtel, TTL, and Vodafone provide details of the Grievance Officer, but no further information about the grievance process is provided.</p>
<p style="text-align: justify; ">c. <b>Grievance Officer and details of process: </b>Aircel<b> </b>provides details of the grievance officer and grievance process.</p>
<p style="text-align: justify; "><b> </b></p>
<p style="text-align: justify; "><b>As a note:</b> All service providers with the exception of ACT have a general grievance redressal mechanism in place as documented on TRAI's website. <a href="#_ftn48" name="_ftnref48"><sup><sup>[48]</sup></sup></a> It is unclear whether these mechanisms are functional, and furthermore it is also unclear if these mechanisms can be used for complaints under the IT Act or the Rules, or complaints on the basis of the Principles. It should be further noted that the multiplicity of grievance redressal officers is a cause for concern, as it may lead to confusion.</p>
<p style="text-align: justify; "><b>6. </b> <b>Consent Mechanism </b></p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : Rules 5 and 6 of the Rules<a href="#_ftn49" name="_ftnref49"><sup><sup>[49]</sup></sup></a> on Collection and Disclosure of information, respectively, require applicable bodies corporate to obtain consent/permission before collecting and disclosing personal information. The Choice and Consent Principle of the National Privacy Principles, as enumerated in the A.P. Shah Report, deals exclusively with choice and consent. <a href="#_ftn50" name="_ftnref50"><sup><sup>[50]</sup></sup></a> Withdrawal of consent is an important facet of the choice and consent principle as evidenced by the Rules<a href="#_ftn51" name="_ftnref51"><sup><sup>[51]</sup></sup></a> and the National Privacy Principles <a href="#_ftn52" name="_ftnref52"><sup><sup>[52]</sup></sup></a>.</p>
<p style="text-align: justify; "><b>Observation:</b> Methods of obtaining consent and for what consent was obtained for varied across service providers. For example:</p>
<p style="text-align: justify; "><b>a. </b> <b>Obtaining consent:</b> Some service providers give data subjects with the choice of submitting their personal information (with some exceptions such as for legal requirements) and obtaining their consent for its collection and processing. For example, the policies of Airtel, Aircel, and TTL are the only ones which provide information on the mechanisms used to obtain consent. ACT provides for targeted advertisements based on the personal information of the user. The viewing or interaction of the user of such targeted advertisements is however, considered an affirmation to this third party source, that the user is the targeted criteria. Thus, there appears to be lack of consent in this regard.</p>
<p style="text-align: justify; "><b>b. </b> <b>No Consent or choice offered:</b> Some service providers do not mention consent. For example, Vodafone, and BSNL do not make any mention of choice or consent in their respective privacy policies.</p>
<p style="text-align: justify; "><b>c. </b> <b>Consent for limited circumstances: </b> Some service providers only provide consent in limited circumstances. For example, ACT mentions consent only in relation to targeted advertising. However, this information is potentially misleading, as discussed earlier in the survey.</p>
<p style="text-align: justify; ">There is also a certain degree of assumption in all the policies regarding consent, as noted in the survey. Thus, if you employ the services of the company in question, you are implicitly agreeing to their terms even if you have not actually been notified of them. And the vague terminology used by most of the policies leaves quite a lot of wiggle room for the companies in question, allowing them to thereby collect more information than the data subject has been notified of without obtaining his or her consent.</p>
<p style="text-align: justify; "><b>7. </b> <b>Transparency mechanism</b> :</p>
<p style="text-align: justify; "><b>Applicable Rule and Principle:</b> The Openness Principle specifically recommends transparency in all activities of the data controller. <a href="#_ftn53" name="_ftnref53"><sup><sup>[53]</sup></sup></a> The Rules provide a limited transparency mechanism under Rule 8 which require bodies corporate to document their security practices and procedures and Rule 4 which requires them to provide such information via a privacy policy. As a note, these fall short of the level of 'transparency' espoused by the Openness Principle of the National Privacy Principles.</p>
<p style="text-align: justify; "><b>Observation: </b> All service providers fail in implementing adequate mechanisms for transparency.</p>
<p style="text-align: justify; "><b>8. </b> <b>Scope</b> :</p>
<p style="text-align: justify; "><b>Applicable Rule and Principle</b> : Though the Openness Principle does not directly speak of the scope of the policies in question, it implies that policies regarding all data collection or processing should be made publically available. The same is also necessary under Rule 4, which mandates that any body corporate which " <i> collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. </i> "</p>
<p style="text-align: justify; "><b>Observation</b> : Though most of the companies mention the scope of their Privacy Policy and include the information collected through the websites, WAP Services, and use of the company's products and services, some companies do not do so. For instance, the scope of the policy is given rather vaguely in the Airtel's Policy, and the scope of ACT's policy is restricted to the information collected during the usage of their products and services, and not their website. BSNL's privacy policy is worrisome as it seems to restrict its scope to the information collected through the website only, but does not at the same time state that it does not apply to other methods of data collection and processing.</p>
<h1 style="text-align: justify; "><a name="_Toc406957934"></a> <a name="h.2jxsxqh"></a> International Best Practices</h1>
<h3><b>Canada</b></h3>
<p style="text-align: justify; ">The privacy regulation regime in Canada is a mixture of the federal regulations and the provincial regulations. Of the former, the Privacy Act is applicable to the public sector, while the Personal Information Protection and Electronic Documents Act ('PIPEDA') applies to the private sector. There are also federal level sectoral regulations, of which the Telecommunications Act is relevant here. The PIPEDA covers the activities of all businesses and federally regulated industries regarding their collection, use, disclosure, safeguarding and provision of access to their customers' personal information. Further, in 2009, the Canadian Radio-television and Telecommunications Commission ('CRTC'), by virtue of the 'Telecom Regulatory Policy CRTC 2009-657' <a href="#_ftn54" name="_ftnref54"><sup><sup>[54]</sup></sup></a> made ISPs subject to privacy standards higher than the standards given under the PIPEDA, while at the same time allowing them to use Internet Traffic Management Practices ('ITMPs'). <a href="#_ftn55" name="_ftnref55"><sup><sup>[55]</sup></sup></a></p>
<p style="text-align: justify; ">The 2009 policy is progressive as it balances the economic needs of Internet Traffic Management Providers vis-à-vis the privacy concerns of consumers. The need to identify ITMP's is integral in the protection of online privacy, as ITMP's most commonly employ methods such as deep packet inspection which can be used to burrow into personal information of consumers as well.</p>
<p style="text-align: justify; ">Recognising that this may not be the current practice, but a possibility in the future, the policy makes certain guidelines for ITMPs. It permits ITMP's that block bad traffic such as spam and malicious software. Nearly all other ITMPs however, require the prior notice of 30 days or more before initialising the ITMP.<a href="#_ftn56" name="_ftnref56"><sup><sup>[56]</sup></sup></a></p>
<p style="text-align: justify; ">ITMP's are to be used only for the defined need of the ISP and not beyond this, and must not be used for behavioural advertising. Secondary ISPs in their contracts with Primary ISPs must agree to the same duties of the latter, that is the personal information entrusted to them is meant for its purpose alone and is not to be disclosed further.</p>
<h2 style="text-align: justify; "><a name="_Toc406957935">Australia</a></h2>
<p style="text-align: justify; ">The central privacy regulation in Australia is the Privacy Act, 1988. The Act defines two sets of privacy principles, the Information Privacy Principles which apply to the public sector, and the National Privacy Principles which apply to the private sector.<a href="#_ftn57" name="_ftnref57"><sup><sup>[57]</sup></sup></a> These principles govern the following: collection,<a href="#_ftn58" name="_ftnref58"><sup><sup>[58]</sup></sup></a> use and disclosure,<a href="#_ftn59" name="_ftnref59"><sup><sup>[59]</sup></sup></a> data quality,<a href="#_ftn60" name="_ftnref60"><sup><sup>[60]</sup></sup></a> security,<a href="#_ftn61" name="_ftnref61"><sup><sup>[61]</sup></sup></a> openness,<a href="#_ftn62" name="_ftnref62"><sup><sup>[62]</sup></sup></a> access and correction,<a href="#_ftn63" name="_ftnref63"><sup><sup>[63]</sup></sup></a> identifiers,<a href="#_ftn64" name="_ftnref64"><sup><sup>[64]</sup></sup></a> anonymity,<a href="#_ftn65" name="_ftnref65"><sup><sup>[65]</sup></sup></a> trans-border data flows,<a href="#_ftn66" name="_ftnref66"><sup><sup>[66]</sup></sup></a> and sensitive information. <a href="#_ftn67" name="_ftnref67"><sup><sup>[67]</sup></sup></a></p>
<p style="text-align: justify; ">The Telecommunications Act, 1997, is also relevant here, as it also governs the use or disclosure of information by telecommunication services providers, <a href="#_ftn68" name="_ftnref68"><sup><sup>[68]</sup></sup></a> but such information is only protected by the Telecommunications Act if it comes to a person's knowledge or possession in certain circumstances. An example of this is Section 276 of the same, which providers that the information protected by that section will be protected only if the person collecting the information is a current or former carrier, carriages service provider or telecommunications contractor, in connection with the person's business as such a carrier, provider or contractor; or if the person is an employee of a carrier, carriage service provider, telecommunications contractor, because the person is employed by the carrier or provider in connection with its business as such a carrier, provider or contractor.</p>
<h2 style="text-align: justify; "></h2>
<h2 style="text-align: justify; "><a name="_Toc406957936">European Union</a></h2>
<p style="text-align: justify; ">The most important source of law in the European Union ('EU') regarding Data Privacy in general is the Data Protection Directive ('Directive'). <a href="#_ftn69" name="_ftnref69"><sup><sup>[69]</sup></sup></a> The Directive has a broad ambit, covering all forms of personal data collection and processing, and mandating that such collection or processing follow the Data Protection Principles it sets out.<a href="#_ftn70" name="_ftnref70"><sup><sup>[70]</sup></sup></a> The Directive differentiates between Personal Data and Sensitive Personal Data, <a href="#_ftn71" name="_ftnref71"><sup><sup>[71]</sup></sup></a> with the collection and processing of the latter being subject to more stringent rules. The telecommunications service providers and internet service providers are included in the definition of 'Controller' as set out in the Directive, and are hence subject to the regulations enforced by the member states of the EU under the same. <a href="#_ftn72" name="_ftnref72"><sup><sup>[72]</sup></sup></a> The Directive will soon be superseded by the General Data Protection directive, which is scheduled to come into force in late 2014, with a two-year transition period after that. <a href="#_ftn73" name="_ftnref73"><sup><sup>[73]</sup></sup></a></p>
<p style="text-align: justify; ">In addition to the above, ISPs are also subject to the Directive on Privacy and Electronic Communications<a href="#_ftn74" name="_ftnref74"><sup><sup>[74]</sup></sup></a> and the Data Retention Directive. <a href="#_ftn75" name="_ftnref75"><sup><sup>[75]</sup></sup></a> The Directive on Privacy and Electronic Communications ('E-Privacy Directive') sets out rules regarding processing security, confidentiality of communications, data retention, unsolicited communications, cookies, and a system of penalties set up by the member states under the title of 'Control'. The E-Privacy Directive supplements the original Data Privacy Directive, and replaces a 1997 Telecommunications Privacy directive. The Data Retention Directive does not directly concern the collection and processing of data by a service provider, but only concerns itself with the retention of collected data. It was an amendment to the E-Privacy Directive, which required the member states to store the telecommunications data of their citizens for six to twenty-four months, and give police and security agencies access to details such as IP addresses and time of use of e-mails.</p>
<p style="text-align: justify; ">The established practices considered above have the following principles, relevant to the study at hand, in common:</p>
<p style="text-align: justify; ">1. Notice</p>
<p style="text-align: justify; ">2. Collection Limitation</p>
<p style="text-align: justify; ">3. Use Limitation</p>
<p style="text-align: justify; ">4. Access and Corrections</p>
<p style="text-align: justify; ">5. Security</p>
<p style="text-align: justify; ">6. Data Quality and Accuracy</p>
<p style="text-align: justify; ">7. Consent</p>
<p style="text-align: justify; ">8. Transparency</p>
<p style="text-align: justify; ">And the following principles are common between two of the three regimes discussed above:</p>
<p style="text-align: justify; ">1. The PIPEDA and the Privacy Act both mention rules regarding Disclosure of collecting information, but the Data Protection Directive does not directly govern disclosure of collected information.</p>
<p style="text-align: justify; ">2. The Principles of Accountability is covered by the Data Protection Directive and the PIPEDA, but is not directly dealt with by the Privacy Act</p>
<p style="text-align: justify; ">3. The PIPEDA and the Data Protection Directive directly mention the principle of Enforcement, but it is not directly covered by the Privacy Act.</p>
<h1 style="text-align: justify; "><a name="_Toc406957937"></a> <a name="h.z337ya"></a> Recommendations</h1>
<p style="text-align: justify; ">Broadly, service providers across India could take cognizance of the following recommendations to ensure alignment with the Rules found under section 43A and to maximize the amount of protection afforded to customer data.</p>
<p style="text-align: justify; ">1. <b>Access and location of privacy policy:</b> Service providers should ensure that the privacy policy is easily accessible through the main page of the company's website. Furthermore, the Privacy Policy should be accessible to users prior to the collection of personal information. All 'User Agreement' forms should include a written Privacy Policy or a reference to the Privacy Policy on the service provider's website.</p>
<p style="text-align: justify; ">2. <b>Scope of privacy policy:</b> The privacy policy should address all practices and services offered by the service provider. If a service requires a different or additional privacy policy, a link to the same should be included in the privacy policy on the main website of the service provider.</p>
<p style="text-align: justify; ">3. <b>Defining consent</b>: The Privacy Policy should clearly define what constitutes 'consent'. If the form of consent changes for different types of service, this should be clearly indicated.</p>
<p style="text-align: justify; ">4. <b>Clear language:</b> The language in the Privacy Policy should be clear and specific, leaving no doubt or ambiguity with regards to the provisions.</p>
<p style="text-align: justify; ">5. <b>Transparent security practices:</b> The Privacy Policy should include comprehensive information about a company's security practices should be included in the Privacy Policy. Information pertaining to audits of these procedures should be made public.</p>
<p style="text-align: justify; ">6. <b>Defined and specified third parties:</b> The Privacy Policy should define 'third party' as it pertains to the company's practices and specify which third parties information will be shared with.</p>
<p style="text-align: justify; ">7. <b>Comprehensive grievance mechanism: </b>The Privacy Policy should include relevant details for users to easily use established grievance mechanisms. This includes contact details of the grievance officers, procedure of submitting a grievance, expected response of the grievance officer (recognition of the grievance, time period for resolution etc.), and method of appealing decision of the grievance officer.</p>
<p style="text-align: justify; ">8. <b>Specify laws governing disclosure to governmental agencies and law enforcement:</b> The Privacy Policy should specify under what laws and service providers are required disclose personal information to.</p>
<p style="text-align: justify; ">9. <b>Inclusion of data retention practices:</b> The Privacy Policy should include provisions defining the retention practices of the company.</p>
<h1 style="text-align: justify; "><a name="_Toc406957938"></a> <a name="h.3j2qqm3"></a> Annexure 1</h1>
<p style="text-align: justify; "><a name="h.1y810tw"></a> Explanation and Interpretation of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
<p style="text-align: justify; ">Section 43A under the Information Technology Act 2000 addresses the protection of sensitive personal data or information and the implementation of an information security management system, and the Rules framed under section 43A attempt establish a holistic data security regime for the private sector.</p>
<p style="text-align: justify; ">The following section is a description of the requirements found under section 43A and subsequent Rules with respect to information that must be included in the privacy policy of a 'body corporate' and procedures that must be followed by 'body corporate' with respect to the publishing and notice of a privacy policy. This section also includes an explanation of how each relevant provision has been interpreted for the purpose of this research.</p>
<p style="text-align: justify; "><b>Relevant provisions that pertain to the privacy policy of body corporate </b></p>
<p style="text-align: justify; "><b>Rule 3:</b> This section defines the term 'Sensitive Personal Data or Information', setting out the six types of information that are considered 'sensitive personal data' including:</p>
<p style="text-align: justify; ">i. Password - Defined under the Rules as "a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information"<a href="#_ftn76" name="_ftnref76"><sup><sup>[76]</sup></sup></a>.</p>
<p style="text-align: justify; ">ii. Financial information - "such as Bank account or credit card or debit card or other payment instrument details" <a href="#_ftn77" name="_ftnref77"><sup><sup>[77]</sup></sup></a></p>
<p style="text-align: justify; ">iii. Physical, physiological and mental health condition</p>
<p style="text-align: justify; ">iv. Sexual orientation</p>
<p style="text-align: justify; ">v. Medical records and history</p>
<p style="text-align: justify; ">vi. Biometric information</p>
<p style="text-align: justify; ">The two other broad categories of Sensitive Personal Data or Information that are included in the Rule are - any related details provided to the body corporate, and any information received by the body corporate in relation to the categories listed above. <a href="#_ftn78" name="_ftnref78"><sup><sup>[78]</sup></sup></a></p>
<p style="text-align: justify; ">The proviso to this section excludes any information available in the public domain or which may be provided under the Right to Information Act, 2005 from the ambit of SPD/I.</p>
<p style="text-align: justify; ">Under the Rules, Sensitive Personal Data is considered to be a subset of Personal Information - which has been defined by Section 2 (1) (i) as " <i> any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person </i> "<a href="#_ftn79" name="_ftnref79"><sup><sup>[79]</sup></sup></a></p>
<p style="text-align: justify; "><b>Interpretation:</b> While the Rules are clearly limited to personal and sensitive personal data or information, the use of these terms throughout the Rules is not consistent. For example, some provisions under the Rules ambiguously use the term 'information' in place of the terms 'personal information' and/or 'sensitive personal information'.<a href="#_ftn80" name="_ftnref80"><sup><sup>[80]</sup></sup></a> While 'information' has been defined non-exhaustively as any 'data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated microfiche' in the Act, this definition appears to be overbroad and cannot be applied in that form for the purpose of provisions on privacy policy. <a href="#_ftn81" name="_ftnref81"><sup><sup>[81]</sup></sup></a> Hence, 'information', when used in the Rules, is construed to mean 'personal information' including 'sensitive personal information' for the purpose of this survey.</p>
<p style="text-align: justify; ">As per Rule 3, information in the public domain isn't classified as sensitive personal data. This exception may require a relook considering that 'providers' of information' may not want their data to be disclosed beyond its initial disclosure, or in certain cases, they may not even know of its existence in the public domain. Since the notice of collection, purpose and use of information is limited to SPD alone under Rule 5, information in the public domain should be seen together with whether the provider of information has provided the latter directly or to service provider that requires the information. If the source is the information provider directly, it need not be classified as SPD.</p>
<p style="text-align: justify; ">On a positive note, the addition of the term "in combination with other information available or likely to be available", gives recognition to the phenomenon of convergence of data. Parts of information that seem of negligible importance, when combined, provide a fuller personal profile of an individual, the recognition of this, in effect, gives a far wider scope to personal information under the Rules.</p>
<p style="text-align: justify; ">In the specific context of Privacy Policies, the Rules do not stipulate whether the mandated privacy policy has to explicitly mention SPD/I that is collected or used.{This is mentioned under Rule 4(ii) and (iii)} Since Rules do require that a privacy policy must be clear, it is construed that the privacy policy should explicitly recognize the type of PI and SPD/I being collected by the company.</p>
<p style="text-align: justify; "><b>Rule 4:</b> This rule mandates that a "<i>body corporate that collects, receives possess, stores, deals or handles information of the provider of information</i>". For the purposes of this research, this entity will be referred to as a 'data controller'. According to Rule 4, every data controller must provide a privacy policy on its website for handling of or dealing in personal information including sensitive personal information.</p>
<p style="text-align: justify; ">The following details have to be included in the privacy policy -</p>
<p style="text-align: justify; ">"(i) Clear and easily accessible statements of its practices and policies;</p>
<p style="text-align: justify; ">(ii) Type of personal or sensitive personal data or information collected under rule 3;</p>
<p style="text-align: justify; ">(iii) Purpose of collection and usage of such information;</p>
<p style="text-align: justify; ">(iv) Disclosure of information including sensitive personal data or information as provided in rule 6;</p>
<p style="text-align: justify; ">(v) Reasonable security practices and procedures as provided under rule 8."<a href="#_ftn82" name="_ftnref82"><sup><sup>[82]</sup></sup></a></p>
<p style="text-align: justify; "><b>Interpretation</b> : The Rules do not provide an adequate understanding of the terms 'clear' and 'accessible', and the terms 'practices' and 'policies' are not defined. For the purpose of this research, 'practices' will be construed to mean the privacy policy of the company. It is deemed to be clear and accessible if it is available either directly or through a link on the main website of the body corporate. To meet the standards set by this Rule, the policy or policies should disclose information about the company's services, products and websites, whenever personal information is collected.</p>
<p style="text-align: justify; "><b>Rule 5:</b> This Rule establishes limits for collection of information. It states that prior informed consent has to be obtained by means of letter, fax or email from the user regarding the purpose of usage for the sensitive personal information sought to be collected. It limits the purpose for collection of SPD/I to collection for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and only if it is considered necessary for that purpose. Thus, the information collected can only be used for the stated purpose for which it has been collected. <a href="#_ftn83" name="_ftnref83"><sup><sup>[83]</sup></sup></a></p>
<p style="text-align: justify; ">Further, Rule 5 (3) provides that consent has to be obtained and knowledge provided to a person from whom personal information is being directly collected - which for service providers - is understood to be through the customer application form. This rule will be deemed to have been complied with when the following information is provided -</p>
<p style="text-align: justify; ">a. The fact that the information is being collected.</p>
<p style="text-align: justify; ">b. The purpose of such collection.</p>
<p style="text-align: justify; ">c. Intended recipients of the collected information.</p>
<p style="text-align: justify; ">d. Names and addresses of the agency or agencies collecting and retaining information.</p>
<p style="text-align: justify; ">Moreover, it provides that the user has to be given the option of not providing information prior to its collection. In case the user chooses this option or subsequently withdraws consent the body corporate has the option to withhold its services.</p>
<p style="text-align: justify; ">This section also provides under Section 5 (2) (a) that the type of information that this Rule concerns itself with can only be collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf and if it is considered necessary for that purpose.</p>
<p style="text-align: justify; ">It also requires that a Grievance Officer be instated to redress the grievance " <i>expeditiously but within one month from the date of receipt of grievance.</i>" The Grievance Redressal process has been discussed in more detail later.</p>
<p style="text-align: justify; "><b>Interpretation:</b> Even though Rule 5 incorporates various major data protection principles and mandates the establishment of a Grievance Redressal Mechanism, neither Rule 5 nor Rule 4 (3) makes a reference to the other. [Rule 4(3) uses the term "such information", and the fact that it follows Rule 4(2) which clearly refers to personal information as well as SPD/I, means that Rule 4(3) also refers to the same]</p>
<p style="text-align: justify; "><i>Prima facie</i> , the scope of Rule 5 is limited to collection of SPD/I. However, Rule 4 (3) ostensibly covers the broad ambit of 'information' which includes SPD/I. Construing these two provisions together using the 'Harmonious Construction' principle <a href="#_ftn84" name="_ftnref84"><sup><sup>[84]</sup></sup></a>, Rule 5 could be interpreted to cover personal information for privacy policies under Rule 4.</p>
<p style="text-align: justify; ">In addition, Rule 5(3) doesn't expand on the reasonable steps to be taken for intimating the information provider on the extent of disclosure and purpose of collection. This appears as a rather large loophole considering the wide interpretation that can be given to 'reasonable' practices of service providers.</p>
<p style="text-align: justify; "><b>Rule 6:</b> This rule lays down the conditions and procedure for disclosure of information.<a href="#_ftn85" name="_ftnref85"><sup><sup>[85]</sup></sup></a> Under it, the following conditions apply before any disclosure of information by the 'body corporate' to any third party -</p>
<p style="text-align: justify; ">a. The body corporate is required to obtain prior permission from the provider of the information, or</p>
<p style="text-align: justify; ">b. Permission to disclose has to be agreed on in the contract between the company and the data subject, or</p>
<p style="text-align: justify; ">c. Disclosure is necessary for the compliance of a legal obligation.</p>
<p style="text-align: justify; ">An exception is made in case the disclosure is made to an authorized and legally mandated Government agency upon request for the purposes of verification of identity, for prevention, detection, and investigation of incidents, specifically including cyber incidents, prosecution, and punishment of offences, in which case no consent from the data subject will be required. Thus, the company does not need user consent to disclose information to authorized law enforcement or intelligence agencies when presented with an authorized request.</p>
<p style="text-align: justify; "><b>Interpretation</b> :</p>
<p style="text-align: justify; ">The guidelines for disclosure limit themselves to SPD under Rule 6 leaving a vacuum with respect to information that doesn't fall within the definition of SPD/I. However, Rule 4 (iv)'s applies to 'information including SPD'. Reading the two together, in accordance with the 'Harmonious Construction' principle, the scope of SPD/I in Rule 6 is construed to extend to the same personal information and SPD/I as is covered by Rule 4 (iv), for the limited purpose of the privacy policies under Rule 4.</p>
<p style="text-align: justify; "><b>Rule 7</b> : This Rule requires that when the data controller transfers SPD/I to another body corporate or person, such a third party must adhere to the same standards of data protection that the body corporate collecting the information in the first instance follows.</p>
<p style="text-align: justify; "><b>Interpretation</b> : Although the privacy policy is not required to provide details of the transfer of information, the fourth sub-section of Rule 4, which concerns itself with the obligation of the body corporate to provide a policy for privacy including information about the disclosure of information to its consumers, incorporates this Rule as it deals with disclosure of information to third parties. Thus, the Policy of the body corporate must include details of the way the data is handled or dealt by the third party, which is shared by the body corporate in question.</p>
<p style="text-align: justify; "><b>Rule 8:</b> This Rule details the criteria for reasonable security practices and procedures.<a href="#_ftn86" name="_ftnref86"><sup><sup>[86]</sup></sup></a> It provides that not only must the body corporate have implemented standard security practices and procedures, but it should also have documented the information security program and policies containing appropriate "<i>managerial, technical, operational and physical security control measures</i>". The Rule specifically uses the example of IS/ISO/IEC 27001 as an international standard that would fulfill the requirements under this provision. The security standards or codes of best practices adopted by the company are required to be certified/audited by a Government approved independent auditor annually and after modification or alteration of the existing practice and procedure. Sub-section (1) of the Rule also gives the body corporate the option of creating its own security procedures and practices for dealing with managerial, technical, operational, and physical security control, and have comprehensive documentation of their information security programme and information security policies. These norms should be as strict as the type of information collected and processed requires. In the event of a breach, the body corporate can be called to demonstrate that these norms were suitably implemented by it.</p>
<p style="text-align: justify; "><b>Interpretation</b> : It is unclear whether the empanelled IT security auditing organizations recognized by CERT-In discussed later are qualified for the purpose of this Rule, but from publicly available information the Data Security Council of India and CERT-In's empanelled Security Auditors seem to be the agencies given this task<a href="#_ftn87" name="_ftnref87"><sup><sup>[87]</sup></sup></a>. With regards to the Privacy Policy or Policies of a company, it is only necessary that the company include as many details as possible regarding the steps taken to ensure the security and confidentiality of the collected information in the Privacy Policy and Policies, and notify them to the consumer.</p>
<p style="text-align: justify; "><b>Other Relevant Policies:</b></p>
<p style="text-align: justify; "><b>Empanelled Information Technology Security Auditors</b> - CERT-In has created a panel of 'IT Security Auditors' for auditing networks & applications of various organizations of the Government, critical infrastructure organizations and private organizations including bodies corporate.<a href="#_ftn88" name="_ftnref88"><sup><sup>[88]</sup></sup></a> The empanelled IT security auditing organization is required to, <i>inter alia</i>, conduct a " <i> Review of Auditee's existing IT Security Policy and controls for their adequacy as per the best practices vis-à-vis the IT Security frameworks outlined in standards such as COBIT, COSO, ITIL, BS7799 / ISO17799, ISO27001, ISO15150, etc." </i> <a href="#_ftn89" name="_ftnref89"><sup><sup>[89]</sup></sup></a> and conduct and document various assessments and tests. Some typical reviews and tests that include privacy reviews are - Information Security Testing, Internet Technology Security Testing and Wireless Security Testing.<a href="#_ftn90" name="_ftnref90"><sup><sup>[90]</sup></sup></a> For this purpose CERT-In maintains a list of IT Security Auditing Organizations<a href="#_ftn91" name="_ftnref91"><sup><sup>[91]</sup></sup></a>.</p>
<p style="text-align: justify; "><a name="h.4i7ojhp"></a> <b>Criteria for analysis of company policies based on the 43A Rules </b></p>
<p style="text-align: justify; ">1. Clear and Accessible statements of its practices and policies<a href="#_ftn92" name="_ftnref92"><sup><sup>[92]</sup></sup></a> -</p>
<p style="text-align: justify; ">i. Whether the privacy policy is accessible through the main website of the body corporate?</p>
<p style="text-align: justify; ">ii. Whether the privacy policy is mentioned or included in the terms and conditions of all document of the body corporate that collects personal information?</p>
<p style="text-align: justify; ">iii. Whether the privacy policy can be comprehended by persons without legal knowledge?</p>
<p style="text-align: justify; ">2. Type and acknowledgment of personal or sensitive personal data/information collected <a href="#_ftn93" name="_ftnref93"><sup><sup>[93]</sup></sup></a>-</p>
<p style="text-align: justify; ">i. Whether the privacy policy explicitly states that personal and sensitive personal information will be collected.</p>
<p style="text-align: justify; ">ii. Whether the privacy policy mentions all categories of personal information including SPD/I being collected?</p>
<p style="text-align: justify; ">3. Option to not provide information and withdrawal of consent<a href="#_ftn94" name="_ftnref94"><sup><sup>[94]</sup></sup></a> -</p>
<p style="text-align: justify; ">i. Whether the Privacy Policy specifies that the user has the option to not provide information?</p>
<p style="text-align: justify; ">ii. Whether the Privacy Policy specifies that the user has the option to subsequently withdraw consent?</p>
<p style="text-align: justify; ">4. Existence of Grievance Officer -</p>
<p style="text-align: justify; ">i. Whether the privacy policy mentions the existence of a grievance officer?</p>
<p style="text-align: justify; ">ii. Whether the privacy policy provides details of the grievance redressal mechanism?</p>
<p style="text-align: justify; ">iii. Whether the privacy policy provides the names and contact information of the grievance officer?</p>
<p style="text-align: justify; ">5. Purpose of Collection and usage of information -</p>
<p style="text-align: justify; ">i. Whether the privacy policy enumerates the purpose(s) for which information is collected exhaustively?</p>
<p style="text-align: justify; ">6. Disclosure of Information -</p>
<p style="text-align: justify; ">i. Whether personal information is shared with third parties (except authorized government agencies/LEA/IA) only with user consent?</p>
<p style="text-align: justify; ">ii. Whether the policy specifies that personal information is disclosed to Government agencies/LEA/IA only when legally mandated as per the circumstances laid out in 43A?</p>
<p style="text-align: justify; ">7. Reasonable Security practices and procedures -</p>
<p style="text-align: justify; ">i. Whether the privacy policy provides adequate details of the reasonable security practices and procedures followed by the body corporate to secure information?</p>
<p style="text-align: justify; "><br clear="all" /></p>
<p style="text-align: justify; "><a name="h.2xcytpi"></a> <a name="h.3whwml4"></a> <b> </b></p>
<h1 style="text-align: justify; "><a name="_Toc406957939">Annexure 2</a></h1>
<p style="text-align: justify; "><a name="h.2bn6wsx"></a> Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules) 2011 and Company SURVEY</p>
<p style="text-align: justify; "><b>1. Bharti Airtel Ltd.</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel's Privacy Policy<a href="#_ftn95" name="_ftnref95"><sup><sup>[95]</sup></sup></a> is available through the main page of the website and it is mentioned in the Airtel Terms and Conditions and is applicable for Airtel's websites as well as its services and products, such as its telecommunications services. It was determined that the policy can be comprehended by individuals without legal knowledge.</p>
<p style="text-align: justify; "><b>2. </b> <b>Type and acknowledgement of personal or sensitive personal data/information collected: Yes </b></p>
<p style="text-align: justify; ">b. <b>Rationale: </b>Airtel's Privacy Policy indicates that sensitive personal and personal information will be collected, defines sensitive personal information<a href="#_ftn96" name="_ftnref96"><sup><sup>[96]</sup></sup></a>, and specifies specific types of personal<a href="#_ftn97" name="_ftnref97"><sup><sup>[97]</sup></sup></a> and sensitive personal information <a href="#_ftn98" name="_ftnref98"><sup><sup>[98]</sup></sup></a> that will be collected.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide data or information and subsequent withdrawal of consent: Yes</b></p>
<p style="text-align: justify; ">c. <b>Rationale: </b>The Airtel Privacy Policy states that individuals have the right to choose not to provide consent or information and have the right to withdraw consent. The policy notes that if consent/information is not provided, Airtel reserves the right to not provide or to withdraw the services.<a href="#_ftn99" name="_ftnref99"><sup><sup>[99]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel provides for the contact details of nodal officers<a href="#_ftn100" name="_ftnref100"><sup><sup>[100]</sup></sup></a> and appellate authorities <a href="#_ftn101" name="_ftnref101"><sup><sup>[101]</sup></sup></a> on its website.<b> </b>Additionally the website provides for the 'Office of the Ombudsperson'<a href="#_ftn102" name="_ftnref102"><sup><sup>[102]</sup></sup></a>, which is an independent forum for employees and external stakeholders<a href="#_ftn103" name="_ftnref103"><sup><sup>[103]</sup></sup></a> of the company to raise concerns and complaints about improper practices which are in breach of the Bharti Code of Conduct. Additionally, details of the Airtel Grievance Redressal Officers can also be found in the TRAI website.<a href="#_ftn104" name="_ftnref104"><sup><sup>[104]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Comprehensive disclosure of purpose of collection and usage of information: Partial </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Airtel's Privacy Policy indicates eight purposes<a href="#_ftn105" name="_ftnref105"><sup><sup>[105]</sup></sup></a> that information will be collected and used for, but notes that the use and collection is not limited to the defined purposes.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information<a href="#_ftn106" name="_ftnref106"><sup><b><sup>[106]</sup></b></sup></a>: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel has a dedicated section explaining the company's practices around the disclosure and sharing of collected information, including ways in which consent will be collected for the sharing of personal information<a href="#_ftn107" name="_ftnref107"><sup><sup>[107]</sup></sup></a>, how collected personal information may be collected internally <a href="#_ftn108" name="_ftnref108"><sup><sup>[108]</sup></sup></a>, the disclosure of information to third parties and that the third party will be held accountable for protecting the information through contract<a href="#_ftn109" name="_ftnref109"><sup><sup>[109]</sup></sup></a>, the possible transfer of personal information and its purposes<a href="#_ftn110" name="_ftnref110"><sup><sup>[110]</sup></sup></a>, and the circumstances under which information will be disclosed to governmental agencies (which reflect the circumstances defined by the Rules.) <a href="#_ftn111" name="_ftnref111"><sup><sup>[111]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Existence of reasonable security practices and procedures</b> <a href="#_ftn112" name="_ftnref112"><sup><sup>[112]</sup></sup></a> <b>: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Airtel's privacy policy has a dedicated section that explains the company's security practices and procedures in place. The policy notes that Airtel's practices and procedures are IS/ISO/IEC 27001 compliant <a href="#_ftn113" name="_ftnref113"><sup><sup>[113]</sup></sup></a>, that access is restricted to a need to know basis and that employees are bound by codes of confidentiality<a href="#_ftn114" name="_ftnref114"><sup><sup>[114]</sup></sup></a>, and that Airtel works to ensure that third parties also have strong security procedures in place.<a href="#_ftn115" name="_ftnref115"><sup><sup>[115]</sup></sup></a> The policy also provides details on the retention<a href="#_ftn116" name="_ftnref116"><sup><sup>[116]</sup></sup></a> and destruction <a href="#_ftn117" name="_ftnref117"><sup><sup>[117]</sup></sup></a> procedures for personal information, and notes that reasonable steps are taken to protect against hacking and virus attacks.<a href="#_ftn118" name="_ftnref118"><sup><sup>[118]</sup></sup></a></p>
<p style="text-align: justify; "><b>1. </b> <b>Tata Telecommunication Services (DoCoMo and Virgin Mobile)</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies</b> : Partial</p>
<p style="text-align: justify; ">a. <b>Rationale</b>: Though Tata DoCoMo has a comprehensive Data Privacy Policy <a href="#_ftn119" name="_ftnref119"><sup><sup>[119]</sup></sup></a> that is applicable to Tata Teleservices Limited's ("<b>TTL</b>") products and services and the TTL website, it is not accessible to the user through the main website. In the Frequently Asked Questions Section of TTL, it is clarified under what circumstances information that you provide is not covered by the TTL privacy policy. <a href="#_ftn120" name="_ftnref120"><sup><sup>[120]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial </b></p>
<p style="text-align: justify; ">a. <b>Rational: </b>TTL defines personal information<a href="#_ftn121" name="_ftnref121"><sup><sup>[121]</sup></sup></a> but only provides general examples of types of personal information<a href="#_ftn122" name="_ftnref122"><sup><sup>[122]</sup></sup></a> (and not sensitive personal) collected, rather than a comprehensive list. The definitions and examples of information collected are clarified in the FAQs and the Privacy Policy, rather than in the Privacy Policy alone. As a strength, the Privacy Policy clarifies the ways in which TTL will collect information from the user - including the fact that they receive information from third parties like credit agencies. <a href="#_ftn123" name="_ftnref123"><sup><sup>[123]</sup></sup></a></p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: N/A</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>The TTL Privacy Policy does not address the right of the individual to provide consent/information and to withdraw information/consent.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> TTL has various methods to lodge complaints and provides for an appellate authority. <a href="#_ftn124" name="_ftnref124"><sup><sup>[124]</sup></sup></a> Additionally, details of the Grievance Redressal Officers are provided via the TRAI website.<a href="#_ftn125" name="_ftnref125"><sup><sup>[125]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> In its' Privacy Policy, TTL describes the way in which collected information is used. <a href="#_ftn126" name="_ftnref126"><sup><sup>[126]</sup></sup></a> The TTL FAQs further clarify the use of cookies by the company, the use of provided information for advertising purposes, <a href="#_ftn127" name="_ftnref127"><sup><sup>[127]</sup></sup></a> and the use of aggregate and anonymized data.<a href="#_ftn128" name="_ftnref128"><sup><sup>[128]</sup></sup></a></p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>In the Privacy Policy and the FAQs page, TTL is transparent about the circumstances on which they will share/disclose personal information with third parties<a href="#_ftn129" name="_ftnref129"><sup><sup>[129]</sup></sup></a>, with law enforcement/governmental agencies<a href="#_ftn130" name="_ftnref130"><sup><sup>[130]</sup></sup></a>, and with other TTL companies. <a href="#_ftn131" name="_ftnref131"><sup><sup>[131]</sup></sup></a> Interestingly, the TTL FAQ's clarify to the customer that their personal information might be processed in different jurisdictions, and thus would be accessible by law enforcement in that jurisdiction. <a href="#_ftn132" name="_ftnref132"><sup><sup>[132]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Partial</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>TTL's Privacy Policy broadly references that security practices are in place to protect user information, but the policy does not make reference to a specific security standard, or provide detail as to what these practices and procedures are. <a href="#_ftn133" name="_ftnref133"><sup><sup>[133]</sup></sup></a> Although TTL's Privacy Policy does not make mention of any specific security standard, Tata Teleservices (Maharashtra) Limited claims to have been awarded with ISO 27001 ISMS (Information Security Management Systems) Certification in May 2011, and completed its first Surveillance Audit in June 2012<a href="#_ftn134" name="_ftnref134"><sup><sup>[134]</sup></sup></a>. Information on IT security standards adopted by other circles could not be found on the internet.</p>
<p style="text-align: justify; "><b>2. </b> <b>Vodafone </b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Vodafone's Privacy Policy<a href="#_ftn135" name="_ftnref135"><sup><sup>[135]</sup></sup></a> is easily accessible from its website from a link at the bottom, directly from the home page and from all other pages of the website. <a href="#_ftn136" name="_ftnref136"><sup><sup>[136]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Collection of personal or sensitive personal data/information: No </b></p>
<p style="text-align: justify; "><b>Rationale: </b> Type -</p>
<p style="text-align: justify; ">a. Personal Information - The amount of details given by the Privacy Policy with regards to the personal information being collected is insufficient, as it does not include a number of relevant facts, and uses is vague language - such as '<i>amongst other things</i>', implying that information other than that which is notified is being collected.<a href="#_ftn137" name="_ftnref137"><sup><sup>[137]</sup></sup></a></p>
<p style="text-align: justify; ">b. Sensitive Personal Data or Information - The Privacy Policy does not mention the categories or types of SPD/I, as defined under Rule 3, being collected by the service provider explicitly, only gives a general overview of the information that is collected.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b> The privacy policy does not mention the consent of data subject anywhere, nor does it mention his or her right to withdraw it at any point of time. It also does not mention whether or not the provision of services by Vodafone is contingent on the provision of such information.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Privacy Policy explicitly mentions and gives the email address of a grievance redressal officer, though further details about the other offices are given in a separate section of the website.<a href="#_ftn138" name="_ftnref138"><sup><sup>[138]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Partial</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy gives an exhaustive list of purposes for which the collected information can be used by Vodafone, <a href="#_ftn139" name="_ftnref139"><sup><sup>[139]</sup></sup></a> but at the same time the framing of the opening sentence and the usage of the term 'may include' could imply that it can be used for other purposes as well.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy mentions that Vodafone might share the collected information with certain third parties and the terms and conditions which would apply to such a third party.<a href="#_ftn140" name="_ftnref140"><sup><sup>[140]</sup></sup></a> The phrasing does not imply that there are other conditions that have not been mentioned in the policy, under which the information would be shared with a third party. At the same time, the Privacy Policy does not explicitly say that the third party will necessarily follow the privacy and data security procedures and rules laid down in the Privacy Policy.</p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Privacy Policy mentions in reasonably clear detail the security practices and procedures followed by Vodafone, and also mentions the circumstances in which the data subject should take care to protect his or her own information, wherein Vodafone will not be liable. <a href="#_ftn141" name="_ftnref141"><sup><sup>[141]</sup></sup></a> Although Vodafone India's Privacy Policy does not specify what their IT Security standard is, its 2012/2013 Sustainability Report available through its international website <a href="#_ftn142" name="_ftnref142"><sup><sup>[142]</sup></sup></a> states that it follows industry practices in line with the ISO 27001 standard and its core data centre in India follows this standard<a href="#_ftn143" name="_ftnref143"><sup><sup>[143]</sup></sup></a><b>.</b></p>
<p style="text-align: justify; "><b>3. </b> <b>Aircel</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes </b></p>
<p style="text-align: justify; "><b>Rationale: </b></p>
<p style="text-align: justify; ">The Privacy Policy is accessible from every page of the Aircel website, with a link at the bottom of each page after the specific circle has been chosen. It is reasonably free of legalese and is intelligible.<a href="#_ftn144" name="_ftnref144"><sup><sup>[144]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial</b></p>
<p style="text-align: justify; "><b>Rationale: </b> Type -</p>
<p style="text-align: justify; ">a. Personal Information</p>
<p style="text-align: justify; ">In the Privacy Policy, the repeated usage of the term 'may' creates some doubt about the actual extent of the data collected, and leaves the Privacy Policy quite unclear in this regard. At the same time, the Privacy Policy does include a fairly comprehensive list of personal information that could be collected. <a href="#_ftn145" name="_ftnref145"><sup><sup>[145]</sup></sup></a> The wording in the Privacy Policy thus requires further clarification and specification in order to make a determination on whether or not it provides complete details on the personal information that will be collected.</p>
<p style="text-align: justify; ">a. Sensitive Personal Data or Information</p>
<p style="text-align: justify; ">The Privacy Policy does not mention SPDI explicitly, which adds to the lack of concrete details as noted earlier.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent - Yes</b></p>
<p style="text-align: justify; "><b>Rationale</b> : The Privacy Policy mentions that users do have the right to refuse to provide or the withdrawal of consent to collect personal information. In such cases, Aircel can respectively refuse or discontinue the provision of its services. <a href="#_ftn146" name="_ftnref146"><sup><sup>[146]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: Yes </b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">Though not directly mentioned in the Privacy Policy, a separate, easily noticeable link at the bottom of each webpage links to the Customer Grievance section. There are different officers in charge of each node, called the Nodal Officers. <a href="#_ftn147" name="_ftnref147"><sup><sup>[147]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Partial </b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>The usage of the term 'may' in the section of the Privacy Policy regarding the purpose of collection and usage of information again leaves it ambiguous in this regard, implying that it can just as easily be used for purposes that have not been notified to the data subject.<a href="#_ftn148" name="_ftnref148"><sup><sup>[148]</sup></sup></a></p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale: </b>Though<b> </b>the Privacy Policy does not specify all the circumstances under which Aircel would share the collected information with a third party, it specifies the terms and conditions that would apply in the cases that it does. <a href="#_ftn149" name="_ftnref149"><sup><sup>[149]</sup></sup></a></p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: Yes</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">The Policy gives a reasonable amount of detail about the steps taken by Aircel to ensure the security of the information collected by it, but leaves certain holes uncovered.<a href="#_ftn150" name="_ftnref150"><sup><sup>[150]</sup></sup></a></p>
<p style="text-align: justify; "><b>4. </b> <b>Atria Convergence Technologies Private Limited (ACT)</b></p>
<p style="text-align: justify; "><b>1. </b> <b>Clear and Accessible statements of its practices and policies: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy is intelligible, and is easily accessible from all the webpages of the company's website from a link at the bottom of all pages.<a href="#_ftn151" name="_ftnref151"><sup><sup>[151]</sup></sup></a></p>
<p style="text-align: justify; "><b>2. </b> <b>Type of personal or sensitive personal data/information collected: Partial</b></p>
<p style="text-align: justify; ">a. Rationale:</p>
<p style="text-align: justify; ">Type -</p>
<p style="text-align: justify; ">a. Personal Information - Yes -</p>
<p style="text-align: justify; ">The Policy mentions the different types of Personal Information which will be collected by ACT if the customer registers with the Company. <a href="#_ftn152" name="_ftnref152"><sup><sup>[152]</sup></sup></a></p>
<p style="text-align: justify; ">a. Sensitive Personal Data or Information -</p>
<p style="text-align: justify; ">The categories of SPD/I collected by ACT are not specifically mentioned in the policy, though they are mentioned as part of the general declarations.</p>
<p style="text-align: justify; "><b>3. </b> <b>Option to not provide information and withdrawal of consent: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale</b>: The option of the data subject not providing or withdrawing consent has not been mentioned in the Policy.</p>
<p style="text-align: justify; "><b>4. </b> <b>Existence of Grievance Officer: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> No Grievance Officer has been mentioned in the Privacy Policy or on the ACT website, nor has any other grievance redressal process been specified.<a href="#_ftn153" name="_ftnref153"><sup><sup>[153]</sup></sup></a></p>
<p style="text-align: justify; "><b>5. </b> <b>Purpose of Collection and usage of information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy mentions the various ways ACT might use the information it collects, though the use of the term 'general' is a cause for concern.<a href="#_ftn154" name="_ftnref154"><sup><sup>[154]</sup></sup></a> The list of purposes for collection given in the Privacy Policy is a very general list.</p>
<p style="text-align: justify; "><b>6. </b> <b>Disclosure of Information: Yes</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> The Policy mentions the circumstances in which ACT might share the collected information with a third party, and also mentions that such parties will either be subject to confidentiality agreements, or that the data subject will be notified before his or her information becomes subject to a different privacy policy. It also mentions the exception to above, that being when the information is shared for investigative purposes.<a href="#_ftn155" name="_ftnref155"><sup><sup>[155]</sup></sup></a> At the same time, the intended recipients of the information are not mentioned, and the name and address of agency/agencies collecting and retaining information is not mentioned.</p>
<p style="text-align: justify; "><b>7. </b> <b>Reasonable Security practices and procedures: No</b></p>
<p style="text-align: justify; ">a. <b>Rationale:</b> - The security practices and procedures followed by ACT to protect the information of its customers are not mentioned in the Policy, which is a critical weak point, keeping in mind the requirements of the Rules. <a href="#_ftn156" name="_ftnref156"><sup><sup>[156]</sup></sup></a></p>
<div style="text-align: justify; ">
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> . Telecom Regulatory Authority of India, Press Release 143/2012,(< <a href="http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf"> http://www.trai.gov.in/WriteReadData/PressRealease/Document/PR-TSD-May12.pdf </a> >)</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> . The Indian Telecom Service Performance Indicators, January-March 2013, Telecom Regulatory Authority of India,. (< <a href="http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf"> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf </a> >)</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < <a href="http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece"> http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece </a> ></p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> . In addition, the Unified Access License Framework which allows for a single license for multiple services such as telecom, the internet and television, provides certain security guidelines. As per the model UIL Agreements, privacy of communications is to be maintained and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. For internet services, the Agreement stipulates the keeping an Internet Protocol Detail Record (IPDR) and copies of packets from customer premises equipment (CPE). Accessed at < <a href="http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf">http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf</a>></p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> . See >> <a href="http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf"> http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf </a> >></p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> . 'India is now world's third largest Internet user after U.S., China', (The Hindu, 24 August 2013) < <a href="http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece"> http://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece </a> > Accessed..</p>
</div>
<div id="ftn7">
<p><a href="#_ftnref7" name="_ftn7">[7]</a> . Starting with <i>Kharak Singh</i> v. <i>State of UP </i>1963 AIR SC 1295<i>, </i>the<i> </i>right to privacy has been further confirmed and commented on in other cases, like <i>Govind v.State of M.P</i> (1975) 2 SCC 148: 1975 SCC (Cri) 468. A full history of the development of the Right to Privacy can be found in B.D. Agarwala, <i>Right to Privacy: A Case-By-Case Development</i>, (1996) 3 SCC (Jour) 9, available at http://www.ebc-india.com/lawyer/articles/96v3a2.htm.</p>
</div>
<div id="ftn8">
<p><a href="#_ftnref8" name="_ftn8">[8]</a> . White Paper on EU Adequacy Assessment of India, 3, ("<i>Based on an overall </i></p>
<p><i> analysis against the identifiable principles under Article 25, the 2010 Report concludes that India does not at present provide adequate protection to personal data in relation to any sector or to the whole of its private sector or to the whole of its public sector. </i> ") available at < <a href="https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf"> https://www.dsci.in/sites/default/files/WhitePaper%20EU_Adequacy%20Assessment%20of%20India.pdf </a> ></p>
</div>
<div id="ftn9">
<p><a href="#_ftnref9" name="_ftn9">[9]</a> . Planning Commission<i>, Report of the Group of Experts on Privacy</i>, 2012, (< <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>>)</p>
</div>
<div id="ftn10">
<p><a href="#_ftnref10" name="_ftn10">[10]</a> . Though a company's Privacy Policy was the main document analysed for this research, when applicable a company's Terms of Service wavas also reviewed.</p>
</div>
<div id="ftn11">
<p><a href="#_ftnref11" name="_ftn11">[11]</a> . BSNL and MTNL are government companies as defined under section 617, Indian Companies Act, 1956, incorporated under the Indian Companies Act, 1956. Under section 43 A (i) of the Act, a 'body corporate' has been broadly defined as "any company…sole proprietorship or other association of individuals engaged in commercial or professional activities". Therefore, for the purpose of this survey, BSNL and MTNL are recognized as bodies corporate.</p>
</div>
<div id="ftn12">
<p><a href="#_ftnref12" name="_ftn12">[12]</a> . Documents Reviewed<i>:</i> http://portal.bsnl.in/portal/privacypolicy.html</p>
</div>
<div id="ftn13">
<p><a href="#_ftnref13" name="_ftn13">[13]</a> . A full list of its services are available here: < <a href="http://bsnl.co.in/opencms/bsnl/BSNL/services/">http://bsnl.co.in/opencms/bsnl/BSNL/services/</a>></p>
</div>
<div id="ftn14">
<p><a href="#_ftnref14" name="_ftn14">[14]</a> . The MTNL website does not provide access to a privacy policy</p>
</div>
<div id="ftn15">
<p><a href="#_ftnref15" name="_ftn15">[15]</a> . A full list of its services are available here <<http://mtnldelhi.in>></p>
</div>
<div id="ftn16">
<p><a href="#_ftnref16" name="_ftn16">[16]</a> . Documents Reviewed: <a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a> , <a href="http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp">http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp</a>, <a href="http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp"> http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp </a> , <a href="http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office"> http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office </a></p>
</div>
<div id="ftn17">
<p><a href="#_ftnref17" name="_ftn17">[17]</a> . A full list of services provided by Bharti Airtel is available here: <<a href="http://www.airtel.in">www.airtel.in</a>></p>
</div>
<div id="ftn18">
<p><a href="#_ftnref18" name="_ftn18">[18]</a> . http://submarinenetworks.com/stations/asia/india/chennai-bharti</p>
</div>
<div id="ftn19">
<p><a href="#_ftnref19" name="_ftn19">[19]</a> . Documents Reviewed: <a href="http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html"> http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html </a> <a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker">https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</a> , <a href="http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html"> http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html </a></p>
</div>
<div id="ftn20">
<p><a href="#_ftnref20" name="_ftn20">[20]</a> . See < <a href="http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html."> http://historyofbusiness.blogspot.in/2013/11/history-of-vodafone.html. </a> ></p>
</div>
<div id="ftn21">
<p><a href="#_ftnref21" name="_ftn21">[21]</a> . <i>Vodafone International Holdings v Union of India</i>, WP 1325/2010, Bombay High Court</p>
</div>
<div id="ftn22">
<p><a href="#_ftnref22" name="_ftn22">[22]</a> . 'Vodafone to Buy Additional Essar India Stake for $5 Billion',(<i>Bloomberg</i>, March 31, 2011) < <a href="http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html"> http://www.bloomberg.com/news/2011-03-31/essar-exercises-option-to-sell-5-billion-stake-in-vodafone-essar-venture.html </a> >Accessed 26 May 2014</p>
</div>
<div id="ftn23">
<p><a href="#_ftnref23" name="_ftn23">[23]</a> . See <<a href="https://www.vodafone.in/pages/aboutus.aspx?cid=ker.">https://www.vodafone.in/pages/aboutus.aspx?cid=ker.</a>></p>
</div>
<div id="ftn24">
<p><a href="#_ftnref24" name="_ftn24">[24]</a> . Vodafone, <i>supra</i> note 13.</p>
</div>
<div id="ftn25">
<p><a href="#_ftnref25" name="_ftn25">[25]</a> . Documents Reviewed:<a href="http://www.tatadocomo.com/downloads/data-privacy-policy.pdf">http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</a>, <a href="http://www.tatateleservices.com/t-customercare.aspx">http://www.tatateleservices.com/t-customercare.aspx</a>, <a href="http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf"> http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf </a></p>
</div>
<div id="ftn26">
<p><a href="#_ftnref26" name="_ftn26">[26]</a> . 'Japan's Docomo acquires 26% stake in Tata Tele'(The Hindu Business Line, November 13 2008) < <a href="http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm"> http://www.thehindubusinessline.in/bline/2008/11/13/stories/2008111352410100.htm </a> .></p>
</div>
<div id="ftn27">
<p><a href="#_ftnref27" name="_ftn27">[27]</a> . Further details are available at: < <a href="http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx">http://www.tatateleservices.com/t-aboutus-ttsl-organization.aspx</a>></p>
</div>
<div id="ftn28">
<p><a href="#_ftnref28" name="_ftn28">[28]</a> . Documents Reviewed</p>
<p><a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 </a> , <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=customercare_consumergrievance_page </a> , <a href="http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf"> http://www.aircel.com/AircelWar/ShowProperty/UCMRepository/Contribution%20Folders/Global/PDF/Manual_Customer_Grievan.pdf </a></p>
</div>
<div id="ftn29">
<p><a href="#_ftnref29" name="_ftn29">[29]</a> . See < <a href="http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book."> http://www.aircel.com/AircelWar/appmanager/aircel/ap?_nfpb=true&_pageLabel=aboutus_book. </a> ></p>
</div>
<div id="ftn30">
<p><a href="#_ftnref30" name="_ftn30">[30]</a> . Documents Reviewed: <a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a></p>
</div>
<div id="ftn31">
<p><a href="#_ftnref31" name="_ftn31">[31]</a> . https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</p>
</div>
<div id="ftn32">
<p><a href="#_ftnref32" name="_ftn32">[32]</a> . <a href="http://www.tatadocomo.com/downloads/data-privacy-policy.pdf">http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</a></p>
</div>
<div id="ftn33">
<p><a href="#_ftnref33" name="_ftn33">[33]</a> . http://www.airtel.in/forme/privacy-policy</p>
</div>
<div id="ftn34">
<p><a href="#_ftnref34" name="_ftn34">[34]</a> .http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061</p>
</div>
<div id="ftn35">
<p><a href="#_ftnref35" name="_ftn35">[35]</a> . <a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a></p>
</div>
<div id="ftn36">
<p><a href="#_ftnref36" name="_ftn36">[36]</a> . In 2012, the Minister of State for Communications & Information Technology informed the Rajya Sabha that " <i>(a)ny change in the privacy policy is not within the purview of amended Information Technology Act, 2000</i>",, while discussing changes to Google's privacy policy. Even though the Minister noted that the EU has reported its dissatisfaction with the changed policy, finding that the policy " <i>makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service</i> ", he argued that the Act and Rules therein merely stipulate the publication of a privacy policy which provide " <i>information to the end users as to how their personal information is collected, for which it is collected, processed and secure</i>". Further, when asked how changes to privacy policy affect end users the Minister shifted the responsibility on end users, stating that " <i> (t)he end users… need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services </i> ".( < <a href="http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22"> http://rsdebate.nic.in/bitstream/123456789/609109/2/PQ_225_30032012_U1929_p129_p130.pdf#search=%22google%22 </a> >).</p>
</div>
<div id="ftn37">
<p><a href="#_ftnref37" name="_ftn37">[37]</a> . Available at <a href="http://portal.bsnl.in/portal/privacypolicy.htm">http://portal.bsnl.in/portal/privacypolicy.htm</a>, the privacy policy was found through a search engine and not through a link from the website. An RTI request was submitted to BSNL for a copy of its privacy policy as applicable to all its products, services and websites. BSNL responded by submitting a copy of this privacy policy even though the text of the policy does not clarify the scope.</p>
</div>
<div id="ftn38">
<p><a href="#_ftnref38" name="_ftn38">[38]</a> . See, <<a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a>></p>
</div>
<div id="ftn39">
<p><a href="#_ftnref39" name="_ftn39">[39]</a> . See <<a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a>></p>
</div>
<div id="ftn40">
<p><a href="#_ftnref40" name="_ftn40">[40]</a> . See <<a href="http://www.tataindicom.com/Download/data-privacy-policy.pdf">www.tataindicom.com/Download/data-privacy-policy.pdf</a>></p>
</div>
<div id="ftn41">
<p><a href="#_ftnref41" name="_ftn41">[41]</a> . See <<www.aircel.com/AircelWar/appmanager/aircel/delhi?_nfpb=true&_pageLabel=P26400194591312373872061>></p>
</div>
<div id="ftn42">
<p><a href="#_ftnref42" name="_ftn42">[42]</a> . See <<a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar">https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar</a>></p>
</div>
<div id="ftn43">
<p><a href="#_ftnref43" name="_ftn43">[43]</a> . See<< http://portal.bsnl.in/portal/privacypolicy.htm>></p>
</div>
<div id="ftn44">
<p><a href="#_ftnref44" name="_ftn44">[44]</a> . See <<a href="http://www.acttv.in/index.php/privacy-policy">http://www.acttv.in/index.php/privacy-policy</a>></p>
</div>
<div id="ftn45">
<p><a href="#_ftnref45" name="_ftn45">[45]</a> . See <<a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar">https://www.vodafone.in/pages/privacy_policy.aspx?cid=kar</a>></p>
</div>
<div id="ftn46">
<p><a href="#_ftnref46" name="_ftn46">[46]</a> . See <<a href="http://www.tataindicom.com/Download/data-privacy-policy.pdf">http://www.tataindicom.com/Download/data-privacy-policy.pdf</a>></p>
</div>
<div id="ftn47">
<p><a href="#_ftnref47" name="_ftn47">[47]</a> . Ibid</p>
</div>
<div id="ftn48">
<p><a href="#_ftnref48" name="_ftn48">[48]</a> . The complaint center details are available here: < <a href="http://www.tccms.gov.in/Queries.aspx?cid=1">http://www.tccms.gov.in/Queries.aspx?cid=1</a>></p>
</div>
<div id="ftn49">
<p><a href="#_ftnref49" name="_ftn49">[49]</a> . Rules 5 and 6</p>
</div>
<div id="ftn50">
<p><a href="#_ftnref50" name="_ftn50">[50]</a> . Principle 2, Principle 3, Personal Information Protection and Electronic Documents Act 2000. Available at: << <a href="http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html">http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html</a>>></p>
</div>
<div id="ftn51">
<p><a href="#_ftnref51" name="_ftn51">[51]</a> . Rule 5(7),</p>
</div>
<div id="ftn52">
<p><a href="#_ftnref52" name="_ftn52">[52]</a> . Principle 2</p>
</div>
<div id="ftn53">
<p><a href="#_ftnref53" name="_ftn53">[53]</a> . P. 21</p>
</div>
<div id="ftn54">
<p><a href="#_ftnref54" name="_ftn54">[54]</a> . Telecom Regulatory Policy CRTC 2009-657, Review of the Internet traffic management practices of Internet service providers << <a href="http://www.crtc.gc.ca/eng/archive/2009/2009-657.htm">www.crtc.gc.ca/eng/archive/2009/2009-657.htm</a>>></p>
</div>
<div id="ftn55">
<p><a href="#_ftnref55" name="_ftn55">[55]</a> . Alex Cameron,<i>CRTC Imposes Super-PIPEDA Privacy Protections for Personal Information Collected by ISPs, </i>Privacy and Information Protection Bulletin, Fasken Martineau, << <a href="http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf"> http://www.fasken.com/files/Publication/4317fd62-0827-4d1d-b836-5b932b3b21db/Presentation/PublicationAttachment/bafbf01e-365c-47f8-86a5-5cf7d7e43787/Bulletin_-_November_2009_-_Cameron.pdf </a> . >> Accessed 21 May 2014</p>
</div>
<div id="ftn56">
<p><a href="#_ftnref56" name="_ftn56">[56]</a> . Bram D. Abramson, Grant Buchanan, Hank Intven, <i>CRTC Shapes Canadian "Net Neutrality" Rules, </i>McCarthy Tetrault. < <a href="http://www.mccarthy.ca/article_detail.aspx?id=4720">http://www.mccarthy.ca/article_detail.aspx?id=4720</a> > Accessed 21 May 2014</p>
</div>
<div id="ftn57">
<p><a href="#_ftnref57" name="_ftn57">[57]</a> . The Privacy Act, 1988, Part III, <i>available at <<</i> http://www.comlaw.gov.au/Series/C2004A03712.>></p>
</div>
<div id="ftn58">
<p><a href="#_ftnref58" name="_ftn58">[58]</a> . <i>Id</i>, note 28, Schedule 3, 1.</p>
</div>
<div id="ftn59">
<p><a href="#_ftnref59" name="_ftn59">[59]</a> . <i>Id</i>, schedule 3, 2.</p>
</div>
<div id="ftn60">
<p><a href="#_ftnref60" name="_ftn60">[60]</a> . <i>Id</i>, schedule 3, 3.</p>
</div>
<div id="ftn61">
<p><a href="#_ftnref61" name="_ftn61">[61]</a> . <i>Id</i>, schedule 3, 4.</p>
</div>
<div id="ftn62">
<p><a href="#_ftnref62" name="_ftn62">[62]</a> . <i>Id</i>, schedule 3, 5.</p>
</div>
<div id="ftn63">
<p><a href="#_ftnref63" name="_ftn63">[63]</a> . <i>Id</i>, schedule 3, 6.</p>
</div>
<div id="ftn64">
<p><a href="#_ftnref64" name="_ftn64">[64]</a> . <i>Id</i>, schedule 3, 7.</p>
</div>
<div id="ftn65">
<p><a href="#_ftnref65" name="_ftn65">[65]</a> . <i>Id</i>, schedule 3, 8.</p>
</div>
<div id="ftn66">
<p><a href="#_ftnref66" name="_ftn66">[66]</a> . <i>Id</i>, schedule 3, 9.</p>
</div>
<div id="ftn67">
<p><a href="#_ftnref67" name="_ftn67">[67]</a> . <i>Id</i>, schedule 3, 10.</p>
</div>
<div id="ftn68">
<p><a href="#_ftnref68" name="_ftn68">[68]</a> . Telecommunications Act, Part 13 (Information or a document protected under Part 13 could relate to many forms of communications, including fixed and mobile telephone services, internet browsing, email and voice over internet telephone services. For telephone-based communications, this would include subscriber information, the telephone numbers of the parties involved, the time of the call and its duration. In relation to internet-based applications, the information protected under Part 13 would include the Internet Protocol (IP) address used for the session, and the start and finish time of each session.)</p>
</div>
<div id="ftn69">
<p><a href="#_ftnref69" name="_ftn69">[69]</a> . Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, <i>available at</i> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.</p>
</div>
<div id="ftn70">
<p><a href="#_ftnref70" name="_ftn70">[70]</a> . <i>Id</i>, article 3.</p>
</div>
<div id="ftn71">
<p><a href="#_ftnref71" name="_ftn71">[71]</a> . <i>Id</i>, article 8.</p>
</div>
<div id="ftn72">
<p><a href="#_ftnref72" name="_ftn72">[72]</a> . <i>Id</i>, article 2, (d). (" <i> (d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; </i> ")</p>
</div>
<div id="ftn73">
<p><a href="#_ftnref73" name="_ftn73">[73]</a> . European Commission-IP-12/46, 25 January 2012, < <a href="http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.">http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en.</a>></p>
</div>
<div id="ftn74">
<p><a href="#_ftnref74" name="_ftn74">[74]</a> . Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.</p>
</div>
<div id="ftn75">
<p><a href="#_ftnref75" name="_ftn75">[75]</a> . Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.</p>
</div>
<div id="ftn76">
<p><a href="#_ftnref76" name="_ftn76">[76]</a> . Rule 2 (h)</p>
</div>
<div id="ftn77">
<p><a href="#_ftnref77" name="_ftn77">[77]</a> . Rule 3 (ii)</p>
</div>
<div id="ftn78">
<p><a href="#_ftnref78" name="_ftn78">[78]</a> . Rule 3 (vii) and (viii)</p>
</div>
<div id="ftn79">
<p><a href="#_ftnref79" name="_ftn79">[79]</a> . Rule 2 (i)</p>
</div>
<div id="ftn80">
<p><a href="#_ftnref80" name="_ftn80">[80]</a> . Rule 4(iii), (iv)</p>
</div>
<div id="ftn81">
<p><a href="#_ftnref81" name="_ftn81">[81]</a> . Section 2(v) of the Act defines 'information'</p>
</div>
<div id="ftn82">
<p><a href="#_ftnref82" name="_ftn82">[82]</a> . Rule 4 (1).</p>
</div>
<div id="ftn83">
<p><a href="#_ftnref83" name="_ftn83">[83]</a> . Rule 5 (5)</p>
</div>
<div id="ftn84">
<p><a href="#_ftnref84" name="_ftn84">[84]</a> . Defined by Venkatarama Aiyar, J as: "The rule of construction is well settled that when there are in an enactment two provisions which cannot be reconciled with each other, they should be so interpreted that, if possible, effect could be given to both" in <i>Venkataramana Devaru v. State of Mysore,</i> AIR 1958 SC 255, p. 268: G. P. Singh, Principles of Statutory Interpretation, 1th ed. 2010, Lexisnexis Butterworths Wadhwa Nagpur. The principle was applied to interpret statutory Rules in A. N. Sehgal v. Raje Ram Sheoram, AIR 1991 SC 1406.</p>
</div>
<div id="ftn85">
<p><a href="#_ftnref85" name="_ftn85">[85]</a> . Rule 6</p>
</div>
<div id="ftn86">
<p><a href="#_ftnref86" name="_ftn86">[86]</a> . Rule 8</p>
</div>
<div id="ftn87">
<p><a href="#_ftnref87" name="_ftn87">[87]</a> . 52<sup>nd</sup> Report, Standing Committee on Information Technology, 24, available at < <a href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf.%20"> http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf. </a> ></p>
</div>
<div id="ftn88">
<p><a href="#_ftnref88" name="_ftn88">[88]</a> . Panel Of Information Security Auditing Organisations, CERT-IN < <a href="http://www.cert-in.org.in/PDF/background.pdf">http://www.cert-in.org.in/PDF/background.pdf</a>></p>
</div>
<div id="ftn89">
<p><a href="#_ftnref89" name="_ftn89">[89]</a> . Section 1, Guidelines for applying to CERT-In for Empanelment of IT Security Audition Organisation, < <a href="http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf">http://www.cert-in.org.in/PDF/InfoSecAuditorsEmpGuidelines.pdf</a>></p>
</div>
<div id="ftn90">
<p><a href="#_ftnref90" name="_ftn90">[90]</a> . Section 2.0, Guidelines for auditee organizations, Version 2.0, IT Security</p>
<p>Auditing Assignment, http://www.cert-in.org.in/PDF/guideline_auditee.pdf</p>
</div>
<div id="ftn91">
<p><a href="#_ftnref91" name="_ftn91">[91]</a> . See <<a href="http://www.cert-in.org.in/PDF/Empanel_org.pdf">http://www.cert-in.org.in/PDF/Empanel_org.pdf</a>></p>
</div>
<div id="ftn92">
<p><a href="#_ftnref92" name="_ftn92">[92]</a> . Rule 4</p>
</div>
<div id="ftn93">
<p><a href="#_ftnref93" name="_ftn93">[93]</a> . Rule 4</p>
</div>
<div id="ftn94">
<p><a href="#_ftnref94" name="_ftn94">[94]</a> . Rule 5 (7)</p>
</div>
<div id="ftn95">
<p><a href="#_ftnref95" name="_ftn95">[95]</a> . See << <a href="http://www.airtel.in/forme/privacy-policy">http://www.airtel.in/forme/privacy-policy</a>>></p>
</div>
<div id="ftn96">
<p><a href="#_ftnref96" name="_ftn96">[96]</a> <i> . 'Information that can be used by itself to uniquely identify, contact or locate a person, or can be used with information available from other sources to uniquely identify an individual. For the purpose of this policy, sensitive personal data or information has been considered as a part of personal information.' </i> Accessed at << <a href="http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn97">
<p><a href="#_ftnref97" name="_ftn97">[97]</a> . Subscriber's name, father's name, mother's name, spouse's name, date of birth, current and previous addresses, telephone number, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Information related to your utilization of our services which may include your call details, your browsing history on our website, location details and additional information provided by you while using our services. We may keep a log of the activities performed by you on our network and websites by using various internet techniques such as web cookies, web beacons, server log files, etc.</p>
</div>
<div id="ftn98">
<p><a href="#_ftnref98" name="_ftn98">[98]</a> . Password<b>, </b>Financial information -details of Bank account, credit card, debit card, or other payment instrument detail <b>s, </b>Physical, physiological and mental health condition<b>.</b></p>
</div>
<div id="ftn99">
<p><a href="#_ftnref99" name="_ftn99">[99]</a> . Airtel states that if a customer does not provide information or consent for usage of personal information or subsequently withdraws consent, Airtel reserves the right to not provide the services or to withdraw the services for which the said information was sought, Avaliable at: < <a href="http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/collection+of+personal+info?contentIDR=53535f55-b787-4cb8-b399-d11d97f80c26&useDefaultText=0&useDefaultDesc=0 </a> ></p>
</div>
<div id="ftn100">
<p><a href="#_ftnref100" name="_ftn100">[100]</a> . See <<a href="http://www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp">www.airtel.in/applications/xm/FixedLineNodalOfficer.jsp</a>></p>
</div>
<div id="ftn101">
<p><a href="#_ftnref101" name="_ftn101">[101]</a> . See << <a href="http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp"> http://www.airtel.in/applications/xm/BroadbandInternet_AppellateAuth.jsp </a> ></p>
</div>
<div id="ftn102">
<p><a href="#_ftnref102" name="_ftn102">[102]</a> . See << http://www.airtel.in/about-bharti/about-bharti-airtel/ombuds-office>></p>
</div>
<div id="ftn103">
<p><a href="#_ftnref103" name="_ftn103">[103]</a> . Stakeholders are defined as: employee, associate, strategic partner, vendor</p>
</div>
<div id="ftn104">
<p><a href="#_ftnref104" name="_ftn104">[104]</a> . See << <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072331247805566Bharti_Airtel_CC_AA-23072013.pdf </a> >></p>
</div>
<div id="ftn105">
<p><a href="#_ftnref105" name="_ftn105">[105]</a> . Verification of customer's identity; Complete transactions effectively and bill for products and service; Respond to customer requests for service or assistance; Perform market analysis, market research, business and operational analysis; Provide, maintain and improve Airtel products and services; Anticipate and resolve issues and concerns with Airtel products and services; Promote and market Airtel products and services which it may consider of interest and benefit to customers; and, Ensure adherence to legal and regulatory requirements for prevention and detection of frauds and crimes.</p>
</div>
<div id="ftn106">
<p><a href="#_ftnref106" name="_ftn106">[106]</a> . See << <a href="http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/disclosure+and+transfer?contentIDR=745792ad-d6af-4684-85d4-d85773e77356&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn107">
<p><a href="#_ftnref107" name="_ftn107">[107]</a> . "Airtel may obtain a customer's consent for sharing personal information in several ways, such as in writing, online, through "click-through" agreements; orally, including through interactive voice response; or when a customer's consent is part of the terms and conditions pursuant to which Airtel provides a service."</p>
</div>
<div id="ftn108">
<p><a href="#_ftnref108" name="_ftn108">[108]</a> . Airtel and its employees may utilize some or all available personal information for internal assessments, measures, operations and related activities…"</p>
</div>
<div id="ftn109">
<p><a href="#_ftnref109" name="_ftn109">[109]</a> . Airtel may at its discretion employ, contract or include third parties external to itself for strategic, tactical and operational purposes. Such agencies though external to Airtel, will always be entities which are covered by contractual agreements. These agreements in turn include Airtel's guidelines to the management, treatment and secrecy of personal information</p>
</div>
<div id="ftn110">
<p><a href="#_ftnref110" name="_ftn110">[110]</a> . Airtel may transfer subscriber's personal information or other information collected, stored, processed by it to any other entity or organization located in India or outside India only in case it is necessary for providing services to a subscriber or if the subscriber has consented (at the time of collection of information) to the same. This may also include sharing of aggregated information with them in order for them to understand Airtel's environment and consequently, provide the subscriber with better services. While sharing personal information with third parties, adequate measures shall be taken to ensure that reasonable security practices are followed at the third party."</p>
</div>
<div id="ftn111">
<p><a href="#_ftnref111" name="_ftn111">[111]</a> . Airtel may share subscribers' personal information with Government agencies or other authorized law enforcement agencies (LEAs) mandated under law to obtain such information for the purpose of verification of identity or for prevention, detection, investigation including but not limited to cyber incidents, prosecution, and punishment of offences.</p>
</div>
<div id="ftn112">
<p><a href="#_ftnref112" name="_ftn112">[112]</a> . See<< <a href="http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0"> http://www.airtel.in/forme/privacy-policy/security+practices+and+procedures?contentIDR=9346516c-c1a1-4bd7-bce0-6945236dceaa&useDefaultText=0&useDefaultDesc=0 </a> >></p>
</div>
<div id="ftn113">
<p><a href="#_ftnref113" name="_ftn113">[113]</a> . Airtel adopts reasonable security practices and procedures, in line with international standard IS/ISO/IEC 27001, to include, technical, operational, managerial and physical security controls in order to protect a customer's personal information from unauthorized access, or disclosure while it is under our control.</p>
</div>
<div id="ftn114">
<p><a href="#_ftnref114" name="_ftn114">[114]</a> . Airtel's security practices and procedures limit access to personal information on need-only basis. Further, its employees are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal information.</p>
</div>
<div id="ftn115">
<p><a href="#_ftnref115" name="_ftn115">[115]</a> . Airtel takes adequate steps to ensure that its third parties adopt reasonable level of security practices and procedures to ensure security of personal information.</p>
</div>
<div id="ftn116">
<p><a href="#_ftnref116" name="_ftn116">[116]</a> . Airtel may retain a subscriber's personal information for as long as required to provide him/her with services or if otherwise required under any law.</p>
</div>
<div id="ftn117">
<p><a href="#_ftnref117" name="_ftn117">[117]</a> . When Airtel disposes of its customers' personal information, it uses reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media)."</p>
</div>
<div id="ftn118">
<p><a href="#_ftnref118" name="_ftn118">[118]</a> . Airtel maintains the security of its internet connections, however for reasons outside of its control, security risks may still arise. Any personal information transmitted to Airtel or from its online products or services will therefore be at a customer's own risk. It observes reasonable security measures to protect a customer's personal information against hacking and virus dissemination.</p>
</div>
<div id="ftn119">
<p><a href="#_ftnref119" name="_ftn119">[119]</a> . See <<http://www.tatadocomo.com/downloads/data-privacy-policy.pdf</p>
</div>
<div id="ftn120">
<p><a href="#_ftnref120" name="_ftn120">[120]</a> . Information that customers provide to non-TTL companies is not covered by TTL's Policy. For example: When customers download applications or make an online purchase from a non-TTL company while using TTL's Internet or wireless services, the information collected by the non-TTL company is not subject to this Policy. When you navigate to a non-TTL company from TTL websites or applications (by clicking on a link or an advertisement, for example), information collected by the non-TTL company is governed by its privacy policy and not TTL's Privacy Policy. If one uses public forums - such as social networking services, Internet bulletin boards, chat rooms, or blogs on TTL or non-TTL websites, any Personal Information disclosed publicly can be read, collected, or used by others. Once one chooses to reveal Personal Information on such a site, the information is publicly available, and TTL cannot prevent distribution and use of that information by other parties. Information on a wireless Customer 's location, usage and numbers dialed, which is roaming on the network of a non-TTL company will be subject to the privacy policy of the non-TTL company, and not TTL's Policy.</p>
</div>
<div id="ftn121">
<p><a href="#_ftnref121" name="_ftn121">[121]</a> . "Personal Information" is any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.</p>
</div>
<div id="ftn122">
<p><a href="#_ftnref122" name="_ftn122">[122]</a> . Personal Information - Some general examples -TTL may collect Confidential Data in different forms such as Personal and other Information based on a customer's use of its products and services. Some examples include, Contact Information that allows us to communicate with you -- including your name, address, telephone number, and e-mail address; Billing information-- including payment data, credit history, credit card number, security codes, and service history.Equipment, Performance, TTL Website Usage, Viewing and other Technical Information about use of TTL's network, services, products or websites.</p>
<p>Technical & Usage Information is clarified in the FAQ's as information<b> </b>related to the services provided, use of TTL's network, services, products or websites. Examples of the Technical & Usage Information collected include: <b>Equipment Information </b>that identifies the equipment used on TTL's network, such as equipment type, IDs, serial numbers, settings, configuration, and software. <b>Performance Information </b>about the operation of the equipment, services and applications used on TTL's network, such as IP addresses, URLs, data transmission rates and latencies, location information, security characteristics, and information about the amount of bandwidth and other network resources used in connection with uploading, downloading or streaming data to and from the Internet. <b>TTL Website Usage Information </b>about the use of TTL websites, including the pages visited, the length of time spent, the links or advertisements followed and the search terms entered on TTL sites, and the websites visited immediately before and immediately after visiting one of TTL's sites.TTL also may collect similar information about a customer's use of its applications on wireless devices. <b>Viewing Information </b>about the programs watched and recorded and similar choices under Value added TTL services and products.</p>
</div>
<div id="ftn123">
<p><a href="#_ftnref123" name="_ftn123">[123]</a> . Ways in which TTL collects information: On the purchase or interaction about a TTL product or service provided; Automatically collected when one visits TTL's websites or use its products and services; Other sources, such as credit agencies.</p>
</div>
<div id="ftn124">
<p><a href="#_ftnref124" name="_ftn124">[124]</a> . See <<a href="http://www.tatateleservices.com/t-customercare.aspx">http://www.tatateleservices.com/t-customercare.aspx</a>></p>
</div>
<div id="ftn125">
<p><a href="#_ftnref125" name="_ftn125">[125]</a> .See< <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341218463621Tata_CC_AA_1-23072013.pdf </a> ></p>
</div>
<div id="ftn126">
<p><a href="#_ftnref126" name="_ftn126">[126]</a> . To provide the best customer experience possible; Provide the services a customer purchases, respond to customer questions; Communicate with customers regarding service updates, offers, and promotions; Deliver customized content and advertising that may be of interest to customers; Address network integrity and security issues; Investigate, prevent or take action regarding illegal activities, violations of TTL's Terms of Service or Acceptable Use Policies</p>
</div>
<div id="ftn127">
<p><a href="#_ftnref127" name="_ftn127">[127]</a> . <b>Site functionality </b>-Cookies and other tracking tools are used to help TTL analyze, manage and improve websites and storing customer preferences. <b>Advertising </b>TTL and its advertising partners, including Yahoo! and other advertising networks, use anonymous information gathered through cookies and other similar technologies, as well as other information TTL or its advertising networks may have, to help tailor the ads a customer sees on its sites.</p>
</div>
<div id="ftn128">
<p><a href="#_ftnref128" name="_ftn128">[128]</a> . TTL collects some Information on an anonymous basis. TTL also may anonymize the Personal Information it collects about customers. It may obtain aggregate data by combining anonymous data that meet certain criteria into groups.</p>
</div>
<div id="ftn129">
<p><a href="#_ftnref129" name="_ftn129">[129]</a> . In Other Circumstances: TTL may provide Personal Information to non-TTL companies or other third parties for purposes such as: To assist with identity verification, and to prevent fraud and identity theft; Enforcing its agreements and property rights; Obtaining payment for products and services that appear on customers' TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; and to comply to legal and regulatory requirements. TTL shares customer Personal Information only with non-TTL companies that perform services on its behalf, and only as necessary for them to perform those services. TTL requires those non-TTL companies to protect any Personal Information they may receive in a manner consistent with this policy. TTL does not provide Personal Information to non-TTL companies for the marketing of their own products and services without a customer's consent. TTL may share aggregate or anonymous Information in various formats with trusted non-TTL entities, and may work with those entities to do research and provide products and services.</p>
</div>
<div id="ftn130">
<p><a href="#_ftnref130" name="_ftn130">[130]</a> . TTL provides Personal Information to non-TTL companies or other third parties (for example, to government agencies, credit bureaus and collection agencies) without consent for certain purposes, such as: To comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims, To obtain payment for products and services that appear on customer TTL billing statements, including the transfer or sale of delinquent accounts to third parties for collection; To enforce its agreements, and protect our rights or property; To assist with identity verification, and to prevent fraud and identity theft; To prevent unlawful use of TTL's services and to assist in repairing network outages; To provide information regarding the caller's location to a public safety entity when a call is made to police/investigation agencies, and to notify the public of wide-spread emergencies; To notify or respond to a responsible governmental entity if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay; To display name and telephone number on a Caller ID device;</p>
</div>
<div id="ftn131">
<p><a href="#_ftnref131" name="_ftn131">[131]</a> . Subject to applicable legal restrictions, such as those that exist for Customer Proprietary Network Information (CPNI), the TTL companies may share your Personal Information with each other to make sure your experience is as seamless as possible, and you have the benefit of what TTL has to offer.</p>
</div>
<div id="ftn132">
<p><a href="#_ftnref132" name="_ftn132">[132]</a> . Customers and Users should be aware that TTL affiliates and non-TTL companies that perform services on behalf of TTL may be located outside the country where customers access TTL's services. As a result, when customer Personal Information is shared with or processed by such entities, it may be accessible to government authorities according to the laws of those jurisdictions.</p>
</div>
<div id="ftn133">
<p><a href="#_ftnref133" name="_ftn133">[133]</a> . TTL has implemented appropriate security controls to protect Personal Information when stored or transmitted by TTL. It has established electronic and administrative safeguards designed to secure the information it collects, to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately. Some examples of those safeguards include: All TTL employees are subject to the internal Code of Business Conduct. The TTL Code requires all employees to follow the laws, rules, regulations, court and/or commission orders that apply to TTL's business such as legal requirements and company policies on the privacy of communications and the security and privacy of Customer records. Employees who fail to meet the standards embodied in the Code of Business Conduct are subject to disciplinary action, up to and including dismissal. TTL has implemented technology and security features and strict policy guidelines to safeguard the privacy of customer Personal Information. TTL has implemented encryption or other appropriate security controls to protect Personal Information when stored or transmitted by it; TTL limits access to Personal Information to those employees, contractors, and agents who need access to such information to operate, develop, or improve its services and products; TTL requires caller/online authentication before providing Account Information so that only the customer or someone who knows the customer's account Information will be able to access or change the information.</p>
</div>
<div id="ftn134">
<p><a href="#_ftnref134" name="_ftn134">[134]</a> . See << <a href="http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf"> http://www.tatateleservices.com/download/aboutus/ttml/TTML-Annual-Report-2012-13.pdf </a> >></p>
</div>
<div id="ftn135">
<p><a href="#_ftnref135" name="_ftn135">[135]</a> . See << <a href="https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker">https://www.vodafone.in/pages/privacy_policy.aspx?cid=ker</a> >></p>
</div>
<div id="ftn136">
<p><a href="#_ftnref136" name="_ftn136">[136]</a> . "We have created this Privacy Policy to help you understand how we collect, use and protect your information when you visit our web and WAP sites and use our products and services."</p>
</div>
<div id="ftn137">
<p><a href="#_ftnref137" name="_ftn137">[137]</a> . Vodafone may hold information relating to customers that have been provided (such as on an application or registration form) or that it may has obtained from another source (such as its suppliers or from marketing organisations and credit agencies).</p>
<p>This information may include, amongst other things, a customer's name, address, telephone numbers, information on how a customer uses Vodafone's products and services (such as the type, date, time, location and duration of calls or messages, the numbers called and how much a customer spends, and information on his/her browsing activity when visiting one of Vodafone's group companies' websites), the location of a customer's mobile phone from time to time, lifestyle information and any other information collected in relation to his/her use of Vodafone's products and services ("information").</p>
<p>It may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts with its website, and web-related products and services.</p>
<p>It may use a persistent cookie to record details such as a unique user identity and general registration details on your PC. Vodafone states that most browser technology (such as Internet Explorer, Netscape etc) allows one to choose whether to accept cookies or not - a customer can either refuse all cookies or set their browser to alert them each time that a website tries to set a cookie.</p>
</div>
<div id="ftn138">
<p><a href="#_ftnref138" name="_ftn138">[138]</a> . In case of any concerns the privacy officer can be contacted at <a href="mailto:privacyofficer@vodafone.com">privacyofficer@vodafone.com</a>. Additionally details of the Grievance Redressal Officers is provided via the TRAI website. (TRAI website: <a href="http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf"> http://www.trai.gov.in/WriteReadData/ConsumerGroup/Document/2013072341567851124Vodafone_CC_AA-23072013.pdf </a> _</p>
</div>
<div id="ftn139">
<p><a href="#_ftnref139" name="_ftn139">[139]</a> . The information that Vodafone collects from customers is held in accordance with applicable laws and regulations in India. It may be used by us for a number of purposes connected with its business operations and functions, which include:</p>
<p>2.1 Processing customer orders or applications;</p>
<p>2.2 Carrying out credit checking and scoring (unless Vodafone have agreed otherwise);</p>
<p>2.3 Providing the customer with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering his/her account;</p>
<p>2.4 Billing</p>
<p>2.5 Settling accounts with those who provide related services to Vodafone;</p>
<p>2.6 Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes;</p>
<p>2.7 Carrying out market and product analysis and marketing Vodafone and its group companies' products and services generally;</p>
<p>2.8 Contacting a customer (including by post, email, fax, short text message (SMS), pager or telephone) about Vodafone and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to customers (unless a customer asks us in writing not to). Electronic marketing messages may not include a marketing facility.</p>
<p>2.9 Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that a customer may have in respect of our and our group companies' schemes.</p>
<p>2.10 inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party (subject to any objection or preference a customer may have indicated to us in writing);</p>
<p>2.11 carrying out any activity in connection with a legal, governmental or regulatory requirement on Vodafone or in connection with legal proceedings, crime or fraud prevention, detection or prosecution;</p>
<p>2.12 carrying out activities connected with the running of Vodafone's business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Vodafone's business with respect to a customer or a potential customer.</p>
</div>
<div id="ftn140">
<p><a href="#_ftnref140" name="_ftn140">[140]</a> . In the need for disclosure to third parties, the personal information will only be disclosed to the third parties below:</p>
<p>3.1 Vodafone's group companies who may in India use and disclose your information for the same purposes as us;</p>
<p>3.2 those who provide to Vodafone or its group companies products or services that support the services that we provide, such as our dealers and suppliers;</p>
<p>3.3 credit reference agencies (unless Vodafone has agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Vodafone makes against a customer's name;</p>
<p>3.4 if someone else pays a customer's bill, such as a customer's employer, that person;</p>
<p>3.5 those providing telephone and similar directories or directory enquiry services</p>
<p>3.6 anyone Vodafone transfers business to in respect of which a person is a customer or a potential customer;</p>
<p>3.7 anyone who assists Vodafone in protecting the operation of the Vodafone India networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities;</p>
<p>3.8 persons to whom Vodafone may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services;</p>
<p>3.9 any person or organisation as authorised by laws and regulations applicable in India.</p>
<p>If a customer has opted in to receiving marketing material from Vodafone, it may also provide customer's personal information to carefully selected third parties who we reasonably believe provide products or services that may be of interest to customers and who have contracted with Vodafone India to keep the information confidential, or who are subject to obligations to protect your personal information.</p>
<p>To opt-out of receiving Vodafone marketing materials,customers can send a 'Do Not Disturb' message to Vodafone. If a customer wishes to use Vodafone products or services abroad, his/her information may be transferred outside India to that country. Vodafone's websites and those of its group companies may also be based on servers located outside of India.</p>
</div>
<div id="ftn141">
<p><a href="#_ftnref141" name="_ftn141">[141]</a> . Vodafone takes reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorized access, modification or disclosure.</p>
<p>Vodafone makes every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to it or from its online products or services will be at a customer's own risk, however, it will use its best efforts to ensure that any such information remains secure. Vodafone cannot protect any information that a customer makes available to the general public - for example, on message boards or in chat rooms.</p>
<p>Vodafone may use cookies and other interactive techniques such as web beacons to collect non-personal information about how a customer interacts.</p>
</div>
<div id="ftn142">
<p><a href="#_ftnref142" name="_ftn142">[142]</a> . See <<a href="http://www.vodafone.com">http://www.vodafone.com</a>></p>
</div>
<div id="ftn143">
<p><a href="#_ftnref143" name="_ftn143">[143]</a> . See < <a href="http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html"> http://www.vodafone.com/content/sustainability/operating_responsibly/privacy_and_security.html </a> ></p>
</div>
<div id="ftn144">
<p><a href="#_ftnref144" name="_ftn144">[144]</a> . <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061 </a> (Scope - This Privacy Policy has been created to help customer's understand how Aircel collects, uses and protects customer information when one visits its web and WAP sites and use its products and services.)</p>
</div>
<div id="ftn145">
<p><a href="#_ftnref145" name="_ftn145">[145]</a> . This information may include, amongst other things, customer's name, father's name, mother's name, spouse's name, date of birth, address, telephone numbers, mobile phone number, email address, occupation and information contained in the documents used as proof of identity and proof of address. Aircel may also hold information related to utilization of its services. This may include customer call records, browsing history while surfing Aircel's website, location details and additional information provided by customer while using our services.</p>
<p>Aircel may keep a log of the activities performed by a customer on its websites by using various internet techniques such as web cookies, web beacons, server log files, etc.</p>
<p>Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with Aircel's website, and web-related products and services</p>
<p>Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on customer's Personal Computers.</p>
</div>
<div id="ftn146">
<p><a href="#_ftnref146" name="_ftn146">[146]</a> . In case a customer does not provide information or consent for usage of personal information or later on withdraw consent for usage of the personal information so collected, Aircel reserves the right to discontinue the services for which the said information was sought.</p>
</div>
<div id="ftn147">
<p><a href="#_ftnref147" name="_ftn147">[147]</a> . In case of any feedback or concern regarding protection of personal information, customers can contact Aircel's <b>Circle Care ID.</b> Alternatively, one may also direct your privacy-related feedback or concerns to the <b>Circle Nodal Officer.</b> (e.g. - Delhi Circle Nodal details are as mentioned below):</p>
<p><b>1. </b> <b>Name: Moushumi De</b></p>
<p><b> Contact Number: 9716199209</b></p>
<p><b> E-mail: </b> <a href="http://www.aircel.com/AircelWar/appmanager/aircel/karnataka?_nfpb=true&_pageLabel=P26400194591312373872061"> <b>nodalofficer.delhi@aircel.co.in</b> </a></p>
<p>Further it provides for a general customer grievance redressal mechanism</p>
<p>Additionally details of the Grievance Redressal Officers is provided via the TRAI website.</p>
<p><b> To resolve all concerns, Aircel has established a 2-tier complaint handling mechanism.</b> <b>Level I: Our Customer Touch Points</b> As an Aircel customer you have the convenience to contact at Customer Interface Points via email, post or telephone. <b>Level II - Appellate Authority</b>Despite the best efforts put by Aircel's executive, if a customer is still not satisfied with the resolution provided then he/she may submit his/her concern to the Appellate Authority of the circle. Comments - However this information contradicts the mechanism provided under Aircel's Manual of Practice for handling Consumer Complaints which provides for a 3<b>-</b>tier complaint handling mechanism.</p>
<p>[According to the DoT - The <b> earlier three-tier complaint redressal mechanism - Call center, Nodal Center and Appellate Authority, has been replaced by a two-tier </b> one by doing away with the level of Nodal Officer. This is because the Complaint Centres are essentially registration and response centres and do not deal with the resolution of complaints. They only facilitate registration of consumer complaint and the level at which a problem is resolved within a company depends upon the complexity of the issue involved.]</p>
</div>
<div id="ftn148">
<p><a href="#_ftnref148" name="_ftn148">[148]</a> . It may be used by us for a number of purposes connected with our business operations and functions, which include:</p>
<p>1. Processing customer orders or applications.</p>
<p>2. Carrying out credit checking and scoring (unless agreed otherwise).</p>
<p>3. Providing customers with products and/or services requested (including the presentation or elimination of calling or connected line identification) or administering a customer's account.</p>
<p>4. Billing (unless there exists another agreed method).</p>
<p>5. Settling accounts with those who provide related services to Aircel.</p>
<p>6. Dealing with requests, enquiries or complaints and other customer care related activities; and all other general administrative and business purposes.</p>
<p>7. Carrying out market and product analysis and marketing our and our group companies' products and services generally.</p>
<p>8. Contacting customers (including by post, email, fax, short text message (SMS), pager or telephone) about Aircel and its group companies' products and services and the products and services of carefully selected third parties which it think may be of interest to a customer (unless a customer says 'no' in writing). Electronic messages need not have an unsubscribe facility.</p>
<p>9. Registering customer details and allocating or offering rewards, discounts or other benefits and fulfilling any requests that customers may have in respect of Aircel and its group companies' loyalty or reward programmes and other similar schemes.</p>
<p>10. Inclusion in any telephone or similar directory or directory enquiry service provided or operated by Aircel or by a third party (subject to any objection or preference a customer may have indicated in writing).</p>
<p>11. Carrying out any activity in connection with a legal, governmental or regulatory requirement on Aircel or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.</p>
<p>12. Carrying out activities connected with the running of business such as personnel training, quality control, network monitoring, testing and maintenance of computer and other systems and in connection with the transfer of any part of Aircel's business with respect to a customer or potential customer. Aircel may use cookies and other interactive techniques such as web beacons to collect non-personal information about how customers interact with our website, and web-related products and services, to:</p>
<p>● Understand what a customer likes and uses about Aircel's website.</p>
<p>● Provide a more enjoyable, customised service and experience</p>
<p>Aircel may use a persistent cookie to record details such as a unique user identity and general registration details on your Personal Computer.</p>
</div>
<div id="ftn149">
<p><a href="#_ftnref149" name="_ftn149">[149]</a> . Where Aircel needs to disclose your information to third parties, such third parties will be:</p>
<p>1. Group companies who may use and disclose your information for the same purposes as us.</p>
<p>2. Those who provide to Aircel or its group companies products or services that support the services that we provide, such as our dealers and suppliers.</p>
<p>3. Credit reference agencies (unless we have agreed otherwise) who may share your information with other organisations and who may keep a record of the searches Aircel make against your name.</p>
<p>4. If someone else pays a customer's bill, such as an employer.</p>
<p>5. Those providing telephone and similar directories or directory enquiry services.</p>
<p>6. Anyone Aircel transfers its business to in respect of which you are a customer or a potential customer.</p>
<p>7. Anyone who assists Aircel in protecting the operation of the Aircel networks and systems, including the use of monitoring and detection in order to identify potential threats, such as hacking and virus dissemination and other security vulnerabilities.</p>
<p>8. Persons to whom Aircel may be required to pass customer information by reason of legal, governmental or regulatory authority including law enforcement agencies and emergency services. If a customer has opted in to receiving marketing material from Aircel, it may also provide personal information to carefully selected third parties who it reasonably believes to provide products or services that may be of interest to customers and who have contracted with Aircel to keep the information confidential, or who are subject to obligations to protect customer personal information.</p>
</div>
<div id="ftn150">
<p><a href="#_ftnref150" name="_ftn150">[150]</a> . We adopt reasonable security practices and procedures to include, technical, operational, managerial and physical security control measures in order to protect your personal information from unauthorized access, or disclosure while it is under our control.Our security practices and procedures limit access to personal information on need to know basis. Further, our employees, to the extent they may have limited access to your personal information on need to know basis, are bound by Code of Conduct and Confidentiality Policies which obligate them to protect the confidentiality of personal informationWe take adequate steps to ensure that our third parties adopt reasonable level of security practices and procedures to ensure security of personal information</p>
<p>We may retain your personal information for as long as required to provide you with services or if otherwise required under any law. We, however assure you that Aircel does not disclose your personal information to unaffiliated third parties (parties outside Aircel corporate network and its Strategic and Business Partners) which could lead to invasion of your privacy</p>
<p>When we dispose off your personal information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents and wiping electronic media).</p>
<p>We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification or disclosure. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For example, we store the personal information you provide on computer systems with limited access, which are located in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving a site or service to protect access to your information from subsequent users.</p>
<p>We make every effort to maintain the security of our internet connections; however for reasons outside of our control, security risks may still arise. Any personal information transmitted to us or from our online products or services will therefore be your own risk, however we will use our best efforts to ensure that any such information remains secure.</p>
</div>
<div id="ftn151">
<p><a href="#_ftnref151" name="_ftn151">[151]</a> . http://www.acttv.in/index.php/privacy-policy</p>
</div>
<div id="ftn152">
<p><a href="#_ftnref152" name="_ftn152">[152]</a> . "When you register, we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests.</p>
<p>The Company collects information about your transactions with us and with some of our business partners, including information about your use of products and services that we offer."</p>
</div>
<div id="ftn153">
<p><a href="#_ftnref153" name="_ftn153">[153]</a> . Not provided for on the TRAI website as ACT is not a telecom.</p>
</div>
<div id="ftn154">
<p><a href="#_ftnref154" name="_ftn154">[154]</a> . The Company can use information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.</p>
<p>The Company collects personal information when you register with the Company, when you use the Company products or services, when you visit the Company pages or the pages of certain partners of the Company. The Company may combine information about you that we have, with information we obtain from business partners or other companies. The Company shall have the right to pass on the same to its business associates, franchisees without referring the same to you.</p>
</div>
<div id="ftn155">
<p><a href="#_ftnref155" name="_ftn155">[155]</a> . Aircel provide the information to trusted partners who work on behalf of or with the Company under confidentiality agreements. These companies may use customer personal information to help the Company communicate about offers from the Company and marketing partners.</p>
<p>Aircel believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Company's terms of use, or as otherwise required by law.</p>
<p>Aircel transfer information about a customer if the Company is acquired by or merged with another company under a different management. In this event, the Company will notify a customer before information about a customer is transferred and becomes subject to a different privacy policy.</p>
<p>The Company plans to display targeted advertisements based on personal information. Advertisers (including ad serving companies) may assume that people who interact with, view, or click on targeted ads meet the targeting criteria - for example, women ages 18-24 from a particular geographic area.</p>
<p>The Company will not provide any personal information to the advertiser when customers interact with or view a targeted ad. However, by interacting with or viewing an ad a customer consents to the possibility that the advertiser will make the assumption that he/she meets the targeting criteria used to display the ad.</p>
</div>
<div id="ftn156">
<p><a href="#_ftnref156" name="_ftn156">[156]</a> . Rule 8.</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules'>https://cis-india.org/internet-governance/blog/a-study-of-the-privacy-policies-of-indian-service-providers-and-the-43a-rules</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2015-01-13T02:37:31ZBlog EntryReport of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill
https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill
<b>Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill. </b>
<h2>Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill</h2>
<h3>Constitutional Right to Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.</p>
<h3 style="text-align: justify; ">Nine National Privacy Principles</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:</p>
<ul>
<li style="text-align: justify; "><b>Notice</b>: The principle of notice as recommended by the Report of the Group of Experts on Privacy<b> </b>differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects. <br /><br />In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.<br /><br />Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Choice and Consent</b>: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data. <br /><br />Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Collection Limitation:</b> The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Purpose Limitation</b>: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data. </li>
</ul>
<ul>
<li><b>Access and Correction</b>: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Disclosure of Information: </b>The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Security:</b> The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Openness:</b> The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect. </li>
</ul>
<ul>
<li style="text-align: justify; "><b>Accountability:</b> The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles. </li>
</ul>
<p style="text-align: justify; "><b>Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material</b>: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).</p>
<p style="text-align: justify; ">With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. <br /><br />With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised. <br /><br />With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.</p>
<h3 style="text-align: justify; ">Additional Protection for Sensitive Personal Data</h3>
<p style="text-align: justify; ">The <b>Report of the Group of Experts on Privacy</b> broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The <b>2014 Privacy Bill</b> incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.</p>
<h3 style="text-align: justify; ">Privacy Officers</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.</p>
<h3 style="text-align: justify; ">Co-regulatory Framework</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.</p>
<h2 style="text-align: justify; ">Recommendations in the Report that are not in the Bill</h2>
<h3>Scope</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.</p>
<h3 style="text-align: justify; ">Exceptions</h3>
<p>The Report of the Group of Experts recommends the following as exceptions to the right to privacy:</p>
<ol>
<li>National security</li>
<li>Public order</li>
<li>Disclosure in the public interest </li>
<li>Prevention, detection, investigation, and prosecution of criminal offenses </li>
<li>Protection of the individual and rights and freedoms of others </li>
</ol>
<p>The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.</p>
<p style="text-align: justify; ">The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:</p>
<ol>
<li>Sovereignty, integrity or security of India or</li>
<li>Strategic, scientific or economic interest of India; or</li>
<li>Preventing incitement to the commission of any offence; or</li>
<li>Prevention of public disorder; or</li>
<li>The investigation of any crime; or</li>
<li>Protection of rights and freedoms others; or</li>
<li>Friendly relations with foreign states; or</li>
<li>Any other legitimate purpose mentioned in this Act.</li>
</ol>
<p style="text-align: justify; ">Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.</p>
<h3 style="text-align: justify; ">Constitution of Infringement of Privacy</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.</p>
<h3 style="text-align: justify; ">The Data Protection Authority</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.</p>
<p style="text-align: justify; ">Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.</p>
<p style="text-align: justify; ">The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.</p>
<h3 style="text-align: justify; ">Tribunal and System of Complaints</h3>
<p style="text-align: justify; ">Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.</p>
<h3 style="text-align: justify; ">Penalties and Offenses</h3>
<p style="text-align: justify; ">The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.</p>
<p style="text-align: justify; ">In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.</p>
<ul>
</ul>
<hr />
<p><b>References</b></p>
<ol>
<li><a href="https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011/" class="external-link">Leaked Privacy Bill: 2014 vs. 2011 </a></li>
<li><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of the Group of Experts on Privacy</a></li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill'>https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-14T06:10:20ZBlog EntryIntermediary Liability Resources
https://cis-india.org/internet-governance/blog/intermediary-liability-resources
<b>We bring you a list of intermediary resources as part of research on internet governance. This blog post will be updated on an ongoing basis.</b>
<ol> </ol><ol>
<li style="text-align: justify; "><b>Shielding the Messengers: Protecting Platforms for Expression and Innovation. </b>The Centre for Democracy and Technology. December 2012, available at: <a href="https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf">https://www.cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf</a>: This paper analyses the impact that intermediary liability regimes have on freedom of expression, privacy, and innovation. In doing so, the paper highlights different models of intermediary liability regimes, reviews different technological means of restricting access to content, and provides recommendations for intermediary liability regimes and provides alternative ways of addressing illegal content online.</li>
<li style="text-align: justify; "><b>Internet Intermediaries: Dilemma of Liability:</b> Article 19. 2013, available at: <a href="http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf">http://www.article19.org/data/files/Intermediaries_ENGLISH.pdf:</a>This Policy Document reviews different components of intermediary liability and highlights the challenges and risks that current models of liability have to online freedom of expression. Relying on international standards for freedom of expression and comparative law, the document includes recommendations and alternative models that provide stronger protection for freedom of expression. The key recommendation in the document include: web hosting providers or hosts should be immune from liability to third party content if they have not modified the content, privatised enforcement should not be a model and removal orders should come only from courts or adjudicatory bodies, the model of notice to notice should replace notice and takedown regimes, in cases of alleged serious criminality clear conditions should be in place and defined.</li>
<li style="text-align: justify; "><b>Comparative Analysis of the National Approaches to the Liability of Internet Intermediaries:</b> Prepared by Daniel Seng for WIPO, available at http://www.wipo.int/export/sites/www/copyright/en/doc/liability_of_internet_intermediaries.pdf:This Report reviews the intermediary liability regimes and associated laws in place across fifteen different contexts with a focus on civil copyright liability for internet intermediaries. The Report seeks to find similarities and differences across the regimes studied and highlight principles and components in different that can be used in international treaties and instruments, upcoming policies, and court decisions.</li>
<li style="text-align: justify; "><b>Freedom of Expression, Indirect Censorship, & Liability for Internet Intermediaries.</b> The Electronic Frontier Foundation. February 2011, available at: <a href="http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf">http://infojustice.org/download/tpp/tpp-civil-society/EFF%20presentation%20ISPs%20and%20Freedom%20of%20Expression.pdf</a>:This presentation was created for the Trans-Pacific Partnership Stakeholder Forum in Chile and highlights that for freedom of expression to be protected, clear legal protections for internet intermediaries are needed and advocates for a regime that provides blanket immunity to intermediaries or is based on judicial takedown notices.</li>
<li style="text-align: justify; "><b>Study on the Liability of Internet Intermediaries. Contracted by the European Commission.</b> 2007, available at: <a href="http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf">http://ec.europa.eu/internal_market/e-commerce/docs/study/liability/final_report_en.pdf</a>. This Report provides insight on the application of the intermediary liability sections of the EU e-commerce directive and studies the impact of the regulations under the Directive on the functioning of intermediary information society services. To achieve this objective, the study identifies relavant case law across member states, calls out and evaluates developing trends across Member States, and draws conclusions.</li>
<li style="text-align: justify; "><b>Internet Intermediary Liability: Identifying Best Practices for Africa.</b> Nicolo Zingales for the Association for Progressive Communications, available at: <a href="https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf">https://www.apc.org/en/system/files/APCInternetIntermediaryLiability_BestPracticesAfrica_20131125.pdf</a>: This background paper seeks to identify challenges and opportunities in addressing intermediary liability for countries in the African Union and recommend safeguards that can be included in emerging intermediary liability regimes in the context of human rights. The paper also reviews different models of intermediary liability and discusses the limitations, scope, and modes of operation of each model. </li>
<li style="text-align: justify; "><b>The Liability of Internet Intermediaries in Nigeria, Kenya, South Africa, and Uganda</b>: An uncertain terrain. Association for Progressive Communications. October 2012, available at: <a href="http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain">http://www.academia.edu/2484536/The_liability_of_internet_intermediaries_in_Nigeria_Kenya_South_Africa_and_Uganda_An_uncertain_terrain</a>:This Report reviews intermediary liability in Nigeria, Kenya, South Africa and Uganda – providing background to the political context, relevant legislation, and present challenges . In doing so, the Report provides insight into how intermediary liability has changed in recent years in these contexts and explores past and present debates on intermediary liability. The Report concludes with recommendations for stakeholders affected by intermediary liability. </li>
<li style="text-align: justify; "><b>The Fragmentation of intermediary liability in the UK</b>. Daithi Mac Sithigh. 2013, available at: <a href="http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT">http://jiplp.oxfordjournals.org/content/8/7/521.full.pdf?keytype=ref&ijkey=zuL8aFSzKJqkozT</a>. This article looks at the application of the Electronic Commerce Directive across Europe and argues that it is being intermixed and subsequently replaced with provisions from national legislation and provisions of law from area specific legislation. Thus, the article argues that systems for intermediary liability are diving into multiple systems – for example for content related to copyright intermediaries are being placed with new responsibilities while for content related to defamation, there is a reducing in the liability that intermediaries are held to. </li>
<li><b>Regimes of Legal Liability for Online Intermediaries: an Overview</b>. OECD, available at: <a href="http://www.oecd.org/sti/ieconomy/45509050.pdf">http://www.oecd.org/sti/ieconomy/45509050.pdf</a>. This article provides an overview of different intermediary liability regimes including EU and US. </li>
<li style="text-align: justify; "><b> Closing the Gap: Indian Online Intermediaries and a Liability System Not Yet Fit for Purpose</b>. GNI. 2014, available at: <a href="http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf">http://www.globalnetworkinitiative.org/sites/default/files/Closing%20the%20Gap%20-%20Copenhagen%20Economics_March%202014_0.pdf</a>. This Report argues that the provisions of the Information Technology Act 2000 are not adequate to deal with ICT innovations , and argues that the current liability regime in India is hurting the Indian internet economy. </li>
<li style="text-align: justify; "><b>Intermediary Liability in India</b>. Centre for Internet and Society. 2011, available at: <a href="https://cis-india.org/internet-governance/intermediary-liability-in-india.pdf">http://cis-india.org/internet-governance/intermediary-liability-in-india.pdf</a>. This report reviews and ‘tests’ the effect of the Indian intermediary liability on freedom of expression. The report concludes that the present regime in India has a chilling effect on free expression and offers recommendations on how the Indian regime can be amended to protect this right. </li>
<li style="text-align: justify; ">The Liability of Internet Service providers and the exercise of the freedom of expression in Latin America have been explored in detail through the course of this research paper by Claudio Ruiz Gallardo and J. Carlos Lara Galvez. The paper explores the efficacy and the implementation of proposals to put digital communication channels under the oversight of certain State sponsored institutions in varying degrees. The potential consequence of legal intervention in media and digital platforms, on the development of individual rights and freedoms has been addressed through the course of this study. The paper tries to arrive at relevant conclusions with respect to the enforcement of penalties that seek to redress the liability of communication intermediaries and the mechanism that may be used to oversee the balance between the interests at stake as well as take comparative experiences into account. The paper also analyses the liability of technical facilitators of communications while at the same time attempting to define a threshold beyond which the interference into the working of these intermediaries may constitute an offence of the infringement of the privacy of users. Ultimately, it aims to derive a balance between the necessity for intervention, the right of the users who communicate via the internet and interests of the economic actors who may be responsible for the service: <a class="external-link" href="http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf">http://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/02-Liability_Internet_Service_Providers_exercise_freedom_expression_Latin_America_Ruiz_Gallardo_Lara_Galvez.pdf</a></li>
</ol>
<hr />
<p><a class="external-link" href="https://crm.apc.org/civicrm/mailing/view?reset=1&id=191">Click to read the newsletter</a> from the Association of Progressive Communications. The summaries for the reports can be found below:</p>
<p style="text-align: justify; ">Internet Intermediaries: The Dilemma of Liability in Africa. APC News, May 2014, available at: <a href="http://www.apc.org/en/node/19279/">http://www.apc.org/en/node/19279/</a>. This report summarizes the challenges facing internet content regulators in Africa, and the effects of these regulations on the state of the internet in Africa. Many African countries do not protect intermediaries from potential liability, so some intermediaries are too afraid to transmit or host content on the internet in those countries. The report calls for a universal rights protection for internet intermediaries.</p>
<p style="text-align: justify; ">APC’s Frequently Asked Questions on Internet Intermediary Liability: APC, May 2014, available at: <a href="http://www.apc.org/en/node/19291/">http://www.apc.org/en/node/19291/</a>. This report addresses common questions pertaining to internet intermediaries, which are entities which provide services that enable people to use the internet, from network providers to search engines to comments sections on blogs. Specifically, the report outlines different models of intermediary liability, defining two main models. The “Generalist” model intermediary liability is judged according to the general rules of civil and criminal law, while the “Safe Harbour” model protects intermediaries with a legal safe zone.</p>
<p style="text-align: justify; ">New Developments in South Africa: APC News, May 2014, available at: <a href="http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri">http://www.apc.org/en/news/intermediary-liability-new-developments-south-afri</a>. This interview with researchers Alex Comninos and Andrew Rens goes into detail about the challenges of intermediary in South Africa. The researchers discuss the balance that needs to be struck between insulating intermediaries from a fear of liability and protecting women’s rights in an environment that is having trouble dealing with violence against women. They also discuss South Africa’s three strikes policy for those who pirate material.</p>
<p style="text-align: justify; ">Preventing Hate Speech Online In Kenya: APCNews, May 2014, available at: <a href="http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli">http://www.apc.org/en/news/intermediary-liability-preventing-hate-speech-onli</a>. This interview with Grace Githaiga investigates the uncertain fate of internet intermediaries under Kenya’s new regime. The new government has mandated everyone to register their SIM cards, and indicated that it was monitoring text messages and flagging those that were deemed risky. This has led to a reduction in the amount of hate speech via text messages. Many intermediaries, such as newspaper comments sections, have established rules on how readers should post on their platforms. Githaiga goes on to discuss the issue of surveillance and the lack of a data protection law in Kenya, which she sees as the most pressing internet issue in Kenya.</p>
<p style="text-align: justify; ">New Laws in Uganda Make Internet Providers More Vulnerable to Liability and State Intervention: APCNews, May 2014, available at: <a href="http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne">http://www.apc.org/en/news/new-laws-uganda-make-internet-providers-more-vulne</a>. In an interview, Lilian Nalwoga discusses Uganda’s recent anti-pornography law that can send intermediaries to prison. The Anti-Pornography Act of 2014 criminalizes any sort of association with any form of pornography, and targets ISPs, content providers, and developers, making them liable for content that goes through their systems. This makes being an intermediary extremely risky in Uganda. The other issue with the law is a vague definition of pornography. Nalwoga also explains the Anti-Homosexuality Act of 2014 bans any promotion or recognition of homosexual relations, and the monitoring technology the government is using to enforce these laws.</p>
<p style="text-align: justify; ">New Laws Affecting Intermediary Liability in Nigeria: APCNews, May 2014, available at: <a href="http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria">http://www.apc.org/en/news/new-laws-affecting-intermediary-liability-nigeria</a>. Gbenga Sesan, executive director of Paradigm Initiative Nigeria, expounds on the latest trends in Nigerian intermediary liability. The Nigerian Communications Commission has a new law that mandates ISPs store users data for at least here years, and wants to make content hosts responsible for what users do on their networks. Additionally, in Nigeria, internet users register with their real name and prove that you are the person who is registration. Sesan goes on to discuss the lack of safe harbor provisions for intermediaries and the remaining freedom of anonymity on social networks in Nigeria.</p>
<p style="text-align: justify; ">Internet Policies That Affect Africans: APC News, May 2014, available at: <a href="http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af">http://www.apc.org/en/news/intermediary-liability-internet-policies-affect-af</a>. The Associsation for Progressive Communcations interviews researcher Nicolo Zingales about the trend among African governments establishing further regulations to control the flow of information on the internet and hold intermediaries liable for content they circulate. Zingales criticizes intermediary liability for “creating a system of adverse incentives for free speech.” He goes on to offer examples of intermediaries and explain the concept of “safe harbor” legislative frameworks. Asked to identify best and worst practices in Africa, he highlights South Africa’s safe harbor as a good practice, and mentions the registration of users via ID cards as a worst practice.</p>
<p style="text-align: justify; ">Towards Internet Intermediary Responsibility: Carly Nyst, November 2013, available at: <a href="http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility">http://www.genderit.org/feminist-talk/towards-internet-intermediary-responsibility</a>. Nyst argues for a middle ground between competing goals in internet regulation in Africa. Achieving one goal, of protecting free speech through internet intermediaries seems at odds with the goal of protecting women’s rights and limiting hate speech, because one demands intermediaries be protected in a legal safe harbor and the other requires intermediaries be vigilant and police their content. Nyst’s solution is not intermediary liability but <i>responsibility</i>, a role defined by empowerment, and establishing an intermediary responsibility to promote positive gender attitudes.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/intermediary-liability-resources'>https://cis-india.org/internet-governance/blog/intermediary-liability-resources</a>
</p>
No publisherelonnaiFreedom of Speech and ExpressionInternet GovernanceIntermediary LiabilityPrivacy2014-07-03T06:45:48ZBlog EntryLeaked Privacy Bill: 2014 vs. 2011
https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011
<b>The Centre for Internet and Society has recently received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India has drafted.</b>
<hr />
<p style="text-align: justify; ">Note: <i>After obtaining a copy of the leaked Privacy Bill 2014, we have replaced the blog "An Analysis of the New Draft Privacy Bill" which was based off of a report from the Economic Times, with this blog post</i>.</p>
<hr />
<p style="text-align: justify; ">This represents the third leak of potential privacy legislation for India that we know of, with publicly available versions having leaked in <a href="http://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf">April 2011</a> and <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">September 2011</a>.</p>
<p style="text-align: justify; ">When compared to the September 2011 Privacy Bill, the text of the 2014 Bill includes a number of changes, additions, and deletions. Below is an outline of significant changes from the <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">September 2011 Privacy Bill</a> to the 2014 Privacy Bill:</p>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
<li><b>Scope:</b> The 2014 Bill extends the right to Privacy to all residents of India. This is in contrast to the 2011 Bill, which extended the Right to Privacy to citizens of India. The 2014 Bill furthermore recognizes the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India, whereas the 2011 Bill did not explicitly recognize the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.</li>
<li style="text-align: justify; "><b><span>Definitions:</span></b><span> The 2014 Bill includes a number of new definitions, redefines existing terms, and deletes others.<br /></span></li>
</ul>
<p style="text-align: justify; "><b>Terms that have been added in the 2014 Bill and the definitions</b></p>
<ol style="text-align: justify; "> </ol><ol style="text-align: justify; ">
<li style="text-align: justify; "><b><i>Personal identifier</i>:</b> Any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.</li>
<li style="text-align: justify; "><b><i>Legitimate purpose</i>:</b> A purpose covered under this Act or any other law for the time being in force, which is certain, unambiguous, and limited in scope for collection of any personal data from a data subject.</li>
<li style="text-align: justify; "><b><i>Competent authority</i></b> : The authority which is authorized to sanction interception or surveillance, as the case may be, under this Act or rules made there under or any other law for the time being in force.</li>
<li style="text-align: justify; "><b><i>Notification</i></b><i>: </i>Notification issued under this Act and published in the Official Gazette</li>
<li style="text-align: justify; "><b><i>Control</i> :</b> And all other cognate forms of expressions thereof, means, in relation to personal data, the collection or processing of personal data and shall include the ability to determine the purposes for and the manner in which any personal data is to be collected or processed.</li>
<li style="text-align: justify; "> <b><i>Telecommunications system</i>:</b> Any system used for transmission or reception of any communication by wire, radio, visual or other electromagnetic means but shall not include broadcasting services.</li>
<li style="text-align: justify; "><b><i>Privacy standards</i>:</b> The privacy standards or protocols or codes of practice. developed by industry associations.</li>
</ol>
<p style="text-align: justify; "><b>Terms that have been re-defined in the 2014 Bill from the 2011 Bill and the 2014 Bill definitions</b></p>
<ol style="text-align: justify; ">
<li><b><i>Communication data:</i></b>The data held or obtained by a telecommunications service provider in relation to a data subject including the data usage of the telecommunications </li>
<li><b><i>Data subject</i></b><i> </i>: Any living individual, whose personal data is controlled by any person</li>
<li><b><i>Interception</i></b><i>: </i>In relation to any communication in the course of its transmission through a telecommunication system, any action that results in some or all of the contents of that communication being made available, while being transmitted, to a person other than the sender or the intended recipient of the communication. </li>
<li><b><i>Person</i></b><i>: A</i>ny natural or legal person and shall include a body corporate, partnership, society, trust, association of persons, Government company, government department, urban local body, or any other officer, agency or instrumentality of the state. </li>
<li><b><i>Sensitive personal data</i>:</b> Personal data relating to: (a) physical and mental health including medical history, (b) biometric, bodily or genetic information, (c) criminal convictions (d) password, (e) banking credit and financial data (f) narco analysis or polygraph test data, (g) sexual orientation. Provided that any information that is freely available or accessible in public domain or to be furnished under the Right to Information Act 2005 or any other law for time being in force shall not be regarded as sensitive personal data for the purposes of this Act.</li>
<li><b><i>Individual:</i></b><i> </i>a resident of Indian </li>
<li><b><i>Covert surveillance</i>:</b> covert Surveillance" means obtaining private information about an individual and his private affairs without his knowledge and includes: (i) directed surveillance which is undertaken for the purposes of specific investigation or specific operation in such a manner as is likely to result in the obtaining of private information about a person whether or not that person was specifically identified in relation to the investigation or operation; (ii) intrusive surveillance which is carried out by an individual or a surveillance device in relation to anything taking place on a residential premise or in any private vehicle. It also covers use of any device outside the premises or a vehicle wherein it can give information of the same quality and detail as if the device were in the premises or vehicle; (iii) covert human intelligence service which is information obtained by a person who establishes or maintains a personal or other relationship with an individual for the covert purpose of using such a relationship to obtain or to provide access to any personal information about that individual</li>
<li><b><i>Re-identify</i></b>: means the recovery of data from an anonymised data, capable of identifying a data subject whose personal data has been anonymised;</li>
<li><b><i>Process</i>:</b> “process" and all other cognate forms of expressions thereof, means any operation or set of operations, whether carried out through automatic means or not by any person or organization, that relates to:(a) collation, storage, disclosure, transfer, updating, modification, alteration or use of personal data; or (b) the merging, linking, blocking, degradation or anonymisation of personal data;</li>
<li><b><i>Direct marketing</i></b>: Direct Marketing means sending of a commercial communication to any individual </li>
<li><b><i>Data controller</i></b>: any person who controls, at any point in time, the personal data of a data subject but shall not include any person who merely provides infrastructure for the transfer or storage of personal data to it data controller;</li>
<li><b><i> Government</i></b>: the Central Government or as the case may be, the State Government and includes the Union territory Administration, local authority or any agency and instrumentality of the Government;</li>
</ol>
<p style="text-align: justify; ">Terms that have been removed from the 2014 Bill that were in the 2011 Bill and the 2011 definition:</p>
<ol style="text-align: justify; ">
<li>Consent: Includes implied consent</li>
<li>Maintain: Includes maintain, collect, use, or disseminate.</li>
<li>Data processor: In relation to personal data means any person (other than the employee of the data controller), who processes the data on behalf of the data controller. </li>
<li>Local authority: A municipal committee, district board, body of port commissioners, council, board or other authority legally entitled to, or entrusted by the Government with, the control or management of a municipal or local fund. </li>
<li>Prescribed: Prescribed by rules made under this Act.</li>
<li>Surveillance: Surveillance undertaken through installation and use of CCTVs and other system which capture images to identify or monitor individuals (this was removed from the larger definition of surveillance.)</li>
<li>DNA: Cell in the body of an individual, whether collected from a cheek, cell, blood cell, skin cell or other tissue, which allows for identification of such individual when compared with other individual. </li>
</ol>
<p style="text-align: justify; ">Terms that have remained broadly (with some modification) the same between the 2014 Bill and 2011 Bill (as per the 2014 Bill definition):</p>
<ol style="text-align: justify; ">
<li>Authority: The Data Protection Authority of India </li>
<li>Appellate tribunal: the Cyber Appellate Tribunal established under Sub-Section (1) of section n48 of the Information Technology Act, 2000.</li>
<li>Personal data: Any data which relates to a data subject, if that data subject can be identified from that data, either directly or indirectly, in conjunction with other data that the data controller has or is likely to have and includes any expression of opinion about such data subject. </li>
<li>Member: Member of the Authority </li>
<li>Disclose: and all other cognate forms of expression thereof, means disclosure, dissemination, broadcast, communication, distribution, transmission, or make available in any manner whatsoever, of personal data. </li>
<li>Anonymised: The deletion of all data that identifies the data subject or can be used to identify the data subject by linking such data to any other data of the data subject, by the data controller. </li>
</ol>
<ul style="text-align: justify; ">
<li><b>Exceptions to the Right to Privacy</b>: According to the 2011 Bill, the exceptions to the Right to Privacy included: </li>
</ul>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; ">
<li>Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state </li>
<li>Preventing incitement to the commission of any offence </li>
<li>Prevention of public disorder or the detection of crime</li>
<li>Protection of rights and freedoms of others </li>
<li>In the interest of friendly relations with foreign state</li>
<li>Any other purpose specifically mentioned in the Act. </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill reflects almost all of the exceptions defined in the 2011 Bill, but removes ‘detection of crime’ from the list of exceptions. The 2014 Bill also qualifies that the application of each exception must be adequate, relevant, and not excessive to the objective it aims to achieve and must be imposed on the manner prescribed – whereas the 2011 Bill stated only that the application of exceptions to the Right to Privacy cannot be disproportionate to the purpose sought to be achieved.</p>
<p id="content" style="text-align: justify; "></p>
<ul style="text-align: justify; ">
<li>Acts not to be considered deprivations of privacy: The 2011 Bill lists five instances that will not be considered a deprivation of privacy - namely</li>
</ul>
<ol style="text-align: justify; ">
<li>For journalistic purposes unless it is proven that there is a reasonable expectation of privacy, </li>
<li>Processing data for personal or household purposes,</li>
<li>Installation of surveillance equipment for the security of private premises, </li>
<li>Disclosure of information via the Right to Information Act 2005,</li>
<li>And any other activity exempted under the Act.</li>
</ol>
<p style="text-align: justify; ">The 2014 limits these instances to:</p>
<ol style="text-align: justify; ">
<li>The processing of data purely for personal or household purposes, </li>
<li>Disclosure of information under the Right to Information Act 2005,</li>
<li>And any other action specifically exempted under the Act.</li>
</ol>
<ul style="text-align: justify; ">
<li style="text-align: justify; ">Privacy Principles: Unlike the 2011 Bill, the 2014 Bill defines nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. The Privacy Principles will apply to all existing and evolving practices. </li>
</ul>
<ul style="text-align: justify; ">
<li>Provisions for Personal Data: Both the 2011 Bill and the 2014 Bill have provisions that apply to the processing of personal and sensitive personal data. The 2011 Bill includes provisions addressing the:</li>
</ul>
<ol style="text-align: justify; ">
<li>Collection of personal data, </li>
<li>Processing of personal data, </li>
<li>Data quality, </li>
<li>Provisions relating to sensitive personal data, </li>
<li>Retention of personal data,</li>
<li>Sharing (disclosure) of personal data, </li>
<li>Security of personal data, </li>
<li>Notification of breach of security, </li>
<li>Access to personal data by data subject,</li>
<li>Updation of personal data by data subject</li>
<li>Mandatory processing of data,</li>
<li>Trans border flows of personal data.</li>
</ol>
<p style="text-align: justify; ">Of these, the 2014 Bill broadly (though not verbatim) reflects the 2011 Bill provisions relating to the:</p>
<ol style="text-align: justify; ">
<li>Collection of personal data,</li>
<li>Processing of personal data, </li>
<li>Access to personal data,</li>
<li>Updating personal data</li>
<li>Retention of personal data</li>
<li>Data quality, </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill has further includes provisions addressing:</p>
<ol style="text-align: justify; ">
<li>Openness and accountability, </li>
<li>Choice, </li>
<li>Consent,</li>
<li>Exceptions for personal identifiers. </li>
</ol>
<p style="text-align: justify; ">The 2014 Bill has made changes to the provisions addressing:</p>
<ol style="text-align: justify; ">
<li>Provisions relating to sensitive personal data, </li>
<li>Sharing (disclosure of personal data), </li>
<li>Notification of breach of security, </li>
<li>Mandatory processing of data </li>
<li>Security of personal data</li>
<li>Trans border flows of personal data. </li>
</ol>
<p style="text-align: justify; ">The changes that have been made have been mapped out below:</p>
<ol style="text-align: justify; "> </ol>
<ul style="text-align: justify; ">
</ul>
<p style="text-align: justify; "><b>Provisions Relating to Sensitive Personal Data:</b> The 2011Bill and 2014 Bill both require authorization by the Authority for the collection and processing of sensitive personal data. At the same time, both Bills include a list of circumstances under which authorization for the collection and processing of sensitive personal data is not required. On the whole, this list is the same between the 2011 Bill and 2014 Bill, but the 2014 Bill adds the following circumstances on which authorization is not needed for the collection and processing of sensitive personal data:</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; ">
<li style="text-align: justify; ">For purposes related to the insurance policy of the individual if the data relates to the physical or mental health or medical history of the individual and is collected and processed by an insurance company.</li>
<li style="text-align: justify; ">Collected or processed by the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</li>
</ol>
<p style="text-align: justify; ">The 2014 Bill also allows the Authority to specify additional regulations for sensitive personal data, and requires that any additional transaction sought to be performed with the sensitive personal information requires fresh consent to first be obtained. The 2014 Bill carves out another exception for Government agencies, allowing disclosure of sensitive personal data without consent to Government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.</p>
<ol style="text-align: justify; "> </ol>
<p style="text-align: justify; "><b>Notification of Breach of Security</b>: The provisions relating to the notification of breach of security in the 2014 Bill differ from the 2011 Bill. Specifically, the 2014 Bill removes the requirement that data controllers must publish information about a data breach in two national news papers. Thus, in the 2014 Bill, data controllers must only inform the data protection authority and affected individuals of the breach. <br /><b><br />Notice</b>: The 2014 Bill changes the structure of the notice mechanism – where in the 2011 Bill, prior to the processing of data, data controllers had to take all reasonable steps to ensure that the data subject was aware of the following:</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; "> </ol> <ol style="text-align: justify; "> </ol> <ol style="text-align: justify; ">
<li>The documented purposes for which such personal data is being collected</li>
<li>Whether providing of personal data by the data subject is voluntary or mandatory under law or in order to avail of any product or service</li>
<li>The consequences of the failure to provide the personal data </li>
<li>The recipient or category of recipients of the personal data </li>
<li>The name and address of the data controller and all persons who are or will be processing information on behalf of the data controller </li>
<li>If such personal data is intended to be transferred out of the country, details of such transfer. </li>
</ol>
<p style="text-align: justify; ">In contrast the 2014 Bill provides that before personal data is collected, the data controller must give notice of:</p>
<ol style="text-align: justify; ">
<li>What data is being collected and</li>
<li>The legitimate purpose for the collection.</li>
</ol>
<p style="text-align: justify; ">If the purpose for which the data was collected has changed the data controller will then be obligated to provide the data subject with notice of:</p>
<ol style="text-align: justify; ">
<li>The use to which the personal data will be put</li>
<li>Whether or not the personal data will be disclosed to a third party and if so the identity of such person </li>
<li>If the personal data being collected is intended to be transferred outside India and the reasons for doing so, how the transfer helps in achieving the legitimate purpose and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data. </li>
<li>The security and safeguards established by the data controller in relation to the personal data </li>
<li>The processes available to a data subject to access and correct his personal data</li>
<li>The recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto</li>
<li>The name, address, and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. </li>
</ol><ol style="text-align: justify; "> </ol>
<p style="text-align: justify; "><b>Disclosure of personal data</b>: Though titled as ‘sharing of personal data’ both the 2011 Bill and 2014 Bill require consent for the disclosure of personal information, but list exceptional circumstances on which consent is not needed. In the 2011 bill, the relevant provision permits disclosure of personal data without consent only if (i) the sharing was a part of the documented purpose, (ii) the sharing is for any purpose relating to the exceptions to the right to privacy or (iii) the Data Protection Authority has authorized the sharing. In contrast, the 2014 Bill permits disclosure of personal data without consent if (i) such disclosure is part of the legitimate purpose (ii) such disclosure is for achieving any of the objectives of section 5 (iii) the Authority has by order authorized such disclosure (iv) the disclosure is required under any law for the time being in force (v) the disclosure is made to the Government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India. As a safeguard, the 2014 Bill requires that any person to whom personal information is disclosed, whether a resident or not, must adhere to all provisions of the Act. Furthermore, the disclosure of personal data must be limited to the extent which is necessary to achieve the purpose for which the disclosure is sought and no person can make public any personal data that is in its control.</p>
<p style="text-align: justify; "><b>Transborder flow of information</b>: Though both the 2011 Bill and the 2014 Bill require any country that data is transferred to must have equivalent or stronger data protection standards in place, the 2014 Bill carves out an exception for law enforcement and intelligence agencies and the transfer of any personal data outside the territory of India, in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</p>
<p style="text-align: justify; "><b>Mandatory Processing of Data</b>: Both the 2011 Bill and 2014 Bill have provisions that address the mandatory processing of data. These provisions are similar, but the 2014 Bill includes a requirement that data controllers must anonymize personal data that is collected without prior consent from the data subject within a reasonable time frame after collection.</p>
<p style="text-align: justify; "><b>Security of Personal Data:</b> The provision relating to the security of personal information in the 2014 Bill has been changed from the 2011 Bill by expanding the list and type of breaches that must be prevented, but removing requirements that data controllers must ensure all contractual arrangements with data processors specifically ensure that the data is maintained with the same level of security.</p>
<ul style="text-align: justify; ">
</ul>
<ol style="text-align: justify; "> </ol><ol> </ol>
<ul>
<li style="text-align: justify; "><b>Conditions on which provisions do not apply:</b> Both the 2011Bill and 2014 Bill define conditions on which the provisions of updating personal data, access, notification of breach of security, retention of personal data, data quality, consent, choice, notice, and right to privacy will not apply to personal data. Though the 2011 Bill and 2014 Bill reflect the same conditions, the 2014 Bill carves out an exception for Government Intelligence Agencies - stating that the provisions of updating personal data, access to data by the data subject, notification about breach of security, retention of personal data, data quality, processing of personal data, consent, choice, notice, collection from an individual will not apply to data collected or processed in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.</li>
<li style="text-align: justify; "><b>Privacy Officers</b>: Unlike the 2011 Bill, the 2014 Bill defines the role of the privacy officer that must be established by every data controller for the purpose of overseeing the security of personal data and implementation of the provisions of the Act.</li>
<li style="text-align: justify; "><b>Power of Authority to Exempt: </b> Both the 2011 Bill and 2014 Bill contain provisions that enable the Authority to waive the applicability of specific provisions of the Act. The circumstances on which this can be done are based on the exceptions to the Right to Privacy in both the 2011 and 2014 Bill. To this extent, the 2014 Bill differs slightly from the 2011 Bill, by removing the power of the Authority to exempt for the ‘detection of crime’ and ‘any other legitimate purpose mentioned in this Act’ .</li>
</ul>
<ul>
<li style="text-align: justify; "><b>The Data Protection Authority:</b> The 2011 Bill and 2014 Bill both establish Data Protection Authorities, but the 2014 Bill further clarifies certain aspects of the functioning of the Authority and expands the functions and the powers of the Authority. For example, new functions of the Authority include:</li>
</ul>
<ul>
</ul>
<ol>
<li style="text-align: justify; ">Auditing any or all personal data controlled by the data controller to assess whether it is being maintained in accordance with the Act, </li>
<li> Suggesting international instruments relevant to the administration of the Act,</li>
<li style="text-align: justify; "> Encouraging industry associations to evolve privacy standards for self regulations, adjudicating on disputes arising between data controllers or between individuals and data controllers.</li>
</ol>
<p style="text-align: justify; ">The 2014 Bill also expands the powers of the Data Protection Authority – importantly giving him the power to receive, investigate complaints about alleged violations of privacy and issue appropriate orders or directions.</p>
<p style="text-align: justify; ">At the same time, the 2014 Bill carves out an exception for Government Intelligence Agencies and Law Enforcement agencies – preventing the Authority from conducting investigations, issuing appropriate orders or directions, and adjudicating complaints in respect to actions taken by the Government Intelligences Agencies and Law Enforcement, if for the objectives of (a) sovereignty, integrity or security of India; or(b) strategic, scientific or economic interest of India; or(c) preventing incitement to the commission of any offence, or (d) prevention of public disorder, or(e) the investigation of any crime; or (f) protection of rights and freedoms of others; or (g) friendly relations with foreign states; or (h) any other legitimate purpose mentioned in this Act.</p>
<p style="text-align: justify; ">This power is instead vested with a court of competent jurisdiction.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>The National Data Controller Registry</b>: The 2014 Bill removes the National Data Controller Registry and requirements for data controllers to register themselves and oversight of the Registry by the Data Protection Authority.</li>
<li style="text-align: justify; "><b>Direct Marketing: </b>Both the 2011 and 2014 Bills contain provisions regulating the use of personal information for direct marketing purposes. Though the provisions are broadly the same, the 2011 Bill envisions that no person will undertake direct marketing unless he/she is registered in the ‘National Data Registry’ and one of the stated purposes is direct marketing. As the 2014 Bill removes the National Data Registry, the 2014 Bill now requires that any person undertaking direct marketing must have on record where he/she has obtained personal data from.</li>
<li style="text-align: justify; "><b>Interception of Communications</b>: Though maintaining some of the safeguards defined in the 2011 Bill for interception, 2014 Bill changes the interception regime envisioned in the 2011 Bill by carving out a wide exception for organizations monitoring the electronic mail of employees, removing provisions requiring the interception take place only for the minimum period of time required for achieving the purposes, and removing provisions excluding the use of intercepted communications as evidence in a court of law. Similar to the 2011 Bill, the 2014 Bill specifies that the principles of notice, choice and consent, access and correction, and openness will not apply to the interception of communications.</li>
<li style="text-align: justify; "><b>Video Recording Equipment in public places</b>: Unlike the 2011 Bill, which addressed only the use of CCTV’s, the 2014 Bill addresses the installation and use of video recording equipment in public places. Though both the 2011 Bill and 2014 Bill both prevent the use of recording equipment and CCTVs for the purpose of identifying an individual, monitoring his personal particulars, or revealing personal, or otherwise adversely affecting his right to privacy - the 2014 Bill requires that the use of recording equipment must be in accordance with procedures, for a legitimate purpose, and proportionate to the objective for which the equipment was installed. </li>
</ul>
<p>The 2014 Bill makes a broad exception to these safeguards for law enforcement agencies and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific, or economic interest of India.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>Privacy Standards and Self Regulation</b>: The 2014 Bill establishes a specific mechanism of self regulation where industry associations will develop privacy standards and adhere to them. For this purpose, an industry ombudsman should be appointed. The standards must be in conformity with the National Privacy Principles and the provisions of the Privacy Bill. The developed standards will be submitted to the Authority and the Authority may frame regulations based on the standards. If an industry association has not developed privacy standards, the Authority may frame regulations for a specific sector.</li>
<li style="text-align: justify; "><b>Settlement of Disputes and Appellate Tribunal:</b> The 2014 Bill makes significant change to the process for settling disputes from the 2011 Bill. In the 2014 Bill an Alternative Dispute Mechanism is established where disputes between individuals and data controllers are first addressed by the Privacy Officer of each Data Controller or the industry level Ombudsman. If individuals are not satisfied with the decision of the Ombudsman they may take the complaint to the Authority. Individuals can also take the complaint directly to the Authority if they wish. If an individual is aggrieved with the decision of the Authority, by a privacy officer or ombudsman through the Alternative Dispute Resolution mechanism, or by the adjudicating officer of the Authority, they may approach the Appellate Tribunal. Any order from the Appellate Tribunal can be appealed at a high court. </li>
</ul>
<p style="text-align: justify; ">In the 2011 Bill disputes between the data controller and an individual can be taken directly to the Appellate Tribunal and orders from the Authority can be appealed at the Tribunal. There is not further path for appeal to an order of the tribunal.</p>
<ol> </ol>
<ul>
<li style="text-align: justify; "><b>Offences and Penalties:</b> The 2014 Bill changes the structure of the offences and penalties section by breaking the two into separate sections - one addressing offences and one addressing penalties while the 2011 Bill addressed offences and penalties in the same section. </li>
</ul>
<ol> </ol><ol> </ol><ol> </ol>
<ul>
<li style="text-align: justify; "><b>Offences</b>: The 2014 Bill penalizes every offence with imprisonment and a fine and empowers a police officer not below the rank of Deputy Superintendent of Police to investigate any offence, limits the courts ability to take cognizance of an offence to only those brought by the Authority, requires that the Court be no lower than a Chief Metropolitan Magistrate or a Chief Judicial Magistrate, and permits courts to compound offences. The 2014 Bill further specifies that any offence that is punishable with three years in prison and above is cognizable, and offences punishable with three years in prison are bailable. . Under the 2014 Bill offences are defined as:</li>
</ul>
<ol>
<li>Unauthorized interception of communications </li>
<li>Disclosure of intercepted communications </li>
<li>Undertaking unauthorized Covert Surveillance </li>
<li>Unauthorized use of disclosure of communication data </li>
</ol>
<p style="text-align: justify; ">The offences defined under the Act are reflected in the 2011 Bill, but the time in prison and fine is higher in the 2014 Bill.</p>
<p style="text-align: justify; "><b>Penalties</b>: The 2014 Bill provides a list of penalties including:</p>
<ol>
<li>Penalty for obtaining personal data on false pretext</li>
<li style="text-align: justify; ">Penalty for violation of conditions of license pertaining to maintenance of secrecy and confidentiality by telecommunications service providers </li>
<li>Penalty for disclosure of other personal information </li>
<li>Penalties for contravention of directions of the Authority </li>
<li>Penalties for data theft </li>
<li>Penalties for unauthorised collection, processing, and disclosure of personal data</li>
<li style="text-align: justify; ">Penalties for unauthorized use of personal data for direction marketing. These penalties reflect the penalties in the 2011 bill, but prescribe higher fines<br /><br /></li>
</ol><ol> </ol>
<p style="text-align: justify; "><b>Adjudicating Officer</b>: Unlike the 2011 Bill that did not have in place an adjudicating officer, the 2014 Bill specifies that the Chairperson of the Authority will appoint a Member of the Authority not below the Rank of Director of the Government of India to be an adjudicating officer. The adjudicating officer will have the power to impose a penalty and will have the same powers as vested in a civil court under the Code of Civil Procedure. Every proceeding before the adjudicating officer will be considered a judicial processing. When adjudicating the officer must take into consideration the amount of disproportionate gain or unfair advantage, the amount of loss caused, the respective nature of the default</p>
<p style="text-align: justify; "><b>Civil Remedies and compensation</b>: Both the 2011 and 2014 Bill contain provisions that permit an individual to pursue a civil remedy, but the 2014 Bill limits these instances to - if loss or damage has been suffered or an adverse determination is made about an individual due to negligence on complying with the Act, and provides for the possibility that the contravening parties will have to provide a public notice of the offense. <br /><br />The 2014 Bill removes provisions specifying that individuals that have suffered loss due to a contravention by the data controller of the Act are entitled to compensation.</p>
<ol> </ol>
<p style="text-align: justify; "><b>Exceptions for intelligence agencies</b>: Unlike the 2011 Bill, the 2014 Bill includes an exception for Government Intelligence Agencies and Law Enforcement Agencies – stating that the Authority will not have the power to conduct investigations, issue appropriate orders and directions or otherwise adjudicate complaints in respect of action taken by the Government intelligence agencies and Law Enforcement agencies for achieving any of the objectives that reflect the defined exceptions to privacy.</p>
<ol> </ol><ol> </ol>
<p style="text-align: justify; ">The Centre for Internet and Society welcomes many of the changes that are reflected in the Privacy Bill 2014, but are cautious about the wide exceptions that have been carved out for law enforcement and intelligence agencies in the Bill.</p>
<p style="text-align: justify; ">In 2012, the Report of Group of Expert s on Privacy was developed for the purpose of informing a privacy framework for India. As such the Centre for Internet and Society will be analyzing in upcoming posts the draft Privacy Bill 2014 and the recommendations in the Report of the Group of Experts on Privacy.</p>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011'>https://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011</a>
</p>
No publisherelonnaiFeaturedInternet GovernancePrivacy2014-04-01T10:52:41ZBlog EntryUIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules
https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules
<b>UIDAI practices and section 43A of the IT Act are analyzed in this post.</b>
<p style="text-align: justify; ">In the 52<sup>nd</sup> Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated <i>“...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...”</i> (pg.46) <a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011<a href="#fn2" name="fr2">[2]</a> and analyses publicly available documents from the UIDAI website<a href="#fn3" name="fr3">[3]</a> as well as the UIDAI enrolment form<a href="#fn4" name="fr4">[4]</a> to demonstrate the ways in which:</p>
<ul>
<li style="text-align: justify; ">UIDAI practices <b>are </b>in line with section 43A and the Rules, </li>
<li style="text-align: justify; ">UIDAI practices <b>are not</b> in line with section 43A and the Rules, </li>
<li style="text-align: justify; ">UIDAI practices <b>are partially</b> in with section 43A and the Rules </li>
<li style="text-align: justify; "><b>Where more information</b> is needed to draw a conclusion. </li>
</ul>
<h3>Applicability and Scope</h3>
<p>Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.</p>
<p>Body Corporate under the Information Technology Act 2008 is defined as:</p>
<p style="text-align: justify; "><i> “Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” </i></p>
<p style="text-align: justify; "><b>UIDAI Practices - not in line</b>: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.</p>
<h3 style="text-align: justify; ">Privacy Policy on Website</h3>
<p>Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:</p>
<ul>
<li>Clear and easily accessible statements of its practices and policies</li>
<li>Type of personal or sensitive personal data or information collected</li>
<li>Purpose of collection and usage of such information </li>
<li>Disclosure of information including sensitive personal information </li>
<li>Reasonable security practices and procedures as provided under rule 8</li>
</ul>
<p><b>UIDAI Practices - Partially in Line</b></p>
<ul>
<li style="text-align: justify; ">Though the UIDAI has placed a privacy policy<a href="#fn6" name="fr6">[6]</a> on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.</li>
<li style="text-align: justify; ">The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states <i>“As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”</i><br /><br />Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.<a href="#fn7" name="fr7">[7]</a><br /><br />The privacy policy goes on to state: <i> “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”</i></li>
<li style="text-align: justify; ">The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.</li>
<li style="text-align: justify; ">The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states<i> “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”</i></li>
<li style="text-align: justify; ">The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI. </li>
</ul>
<h3 style="text-align: justify; ">Consent<i> </i></h3>
<p>Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.</p>
<h3 style="text-align: justify; ">Collection Limitation</h3>
<p>Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.</p>
<h3 style="text-align: justify; ">Notice During Direct Collection</h3>
<p style="text-align: justify; ">Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:</p>
<ul>
<li>The fact that the information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information </li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li>
</ul>
<p><b>UIDAI Practices - Partially in Line<br /></b>The Aadhaar enrolment form does not provide the following information:<b> </b></p>
<ul>
<li>The intended recipients of the information</li>
<li>The name and address of the agency collecting the information </li>
<li>The name and address of the agency that will retain the information </li>
</ul>
<h3>Retention Limitation</h3>
<p style="text-align: justify; ">Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear</b><br />It is unclear from publicly available information what the UIDAI retention practices are.</p>
<h3 style="text-align: justify; ">Use Limitation</h3>
<p>Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p><b>UIDAI Practices - Unclear<br /></b>It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for. <b> </b></p>
<h3>Right to Access and Correct<b> </b></h3>
<p>Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line<br /></b>Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method.<b> </b><a href="#fn9" name="fr9">[9]</a></p>
<h3 style="text-align: justify; ">Right to ‘Opt Out’ and Withdraw Consent</h3>
<p style="text-align: justify; ">Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line<br /></b>The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.</p>
<h3 style="text-align: justify; ">Security of Information</h3>
<p style="text-align: justify; ">Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear<br /></b>The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.<b> </b></p>
<h3 style="text-align: justify; ">Disclosure with Consent<b> </b></h3>
<p style="text-align: justify; ">Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request. <b> </b></p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line</b><br />In the enrolment form, consent for disclosure is stated as<i> ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” </i>This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.</p>
<p style="text-align: justify; ">The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states <i>“</i><i> </i><i>We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”</i></p>
<h3 style="text-align: justify; ">Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify; ">Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.</p>
<h3 style="text-align: justify; ">Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify; ">Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear<br /></b>It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India. <b></b></p>
<h3 style="text-align: justify; ">Establishment of Grievance Officer<b></b></h3>
<p style="text-align: justify; ">Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt. <b></b></p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line<br /></b>The website of the UIDAI provides details of a grievance officer that individuals can contact.<a href="#fn10" name="fr10">[10]</a> It is unclear from publicly available information if grievances are addressed within a month.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a class="external-link" href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf">http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf">http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf">http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a class="external-link" href="http://uidai.gov.in/organization-details.html">http://uidai.gov.in/organization-details.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://uidai.gov.in/privacy-policy.html">http://uidai.gov.in/privacy-policy.html</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://resident.uidai.net.in/home">http://resident.uidai.net.in/home</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf">http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="https://ssup.uidai.gov.in/web/guest/ssup-home">https://ssup.uidai.gov.in/web/guest/ssup-home</a></p>
<p>[<a href="#fr10" name="fn10">10</a>]. <a class="external-link" href="http://uidai.gov.in/contactus.html">http://uidai.gov.in/contactus.html</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules'>https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules</a>
</p>
No publisherelonnaiUIDInternet GovernancePrivacy2014-03-06T07:00:21ZBlog EntryComparison of Section 35(1) of the Draft Human DNA Profiling Bill and Section 4 of the Identification Act Revised Statute of Canada
https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions
<b>A comparison of section 35(1) of the Draft Human DNA Profiling Bill, section 4 of the Identification Act, Revised Statute of Canada, and a review of international best practices. </b>
<p style="text-align: justify; ">In continuance of research around the <a href="https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012">Draft Human DNA Profiling Bill</a> that has been drafted the Department of Biotechnology, this blog entry reviews best practices for the communication of DNA profiles from the DNA Bank Manager to law enforcement and the police, compares the section 35(1) of the Draft Human DNA Profiling Bill and section 4 of the Identification Act Revised Statute of Canada, and recommends a revision of the present provision in the Draft Human DNA Profiling Bill.</p>
<h3 style="text-align: justify; ">Indian Provision</h3>
<p style="text-align: justify; ">35 (1) “<i>On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank in order to determine whether it is already contained in the DNA Data Bank and shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely – </i></p>
<p style="text-align: justify; "><i>(a) </i><i>As to whether the DNA profile received is already contained in the Data Bank; and </i></p>
<p style="text-align: justify; "><i>(b) </i><i>Any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. </i></p>
<p style="text-align: justify; "><i>(2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.”</i></p>
<h3 style="text-align: justify; ">Canadian Provision vs. Indian Provision</h3>
<p style="text-align: justify; ">According to the Draft Human DNA Profiling Bill 35(1) was adopted from the DNA Identification Act Revised Statute of Canada section 4. The provision found in the Draft Human DNA Profiling Bill is different in three ways:</p>
<ol>
<li style="text-align: justify; ">The Canadian statute limits the communication of whether a DNA profile is contained in the Data Bank or not to law enforcement agencies or other DNA laboratories, where as the provision in the Draft Human DNA Profiling Bill allows the communication to law enforcement agencies, other DNA data banks, and courts and tribunals. </li>
<li style="text-align: justify; ">The Canadian statute limits the comparison of any DNA profile to that as entered in the convicted offenders index or the crime scene index with those DNA profiles that are already contained in the databank, where as the Draft Human DNA Profiling Bill allows for any received profile to be compared with the other profiles in the DNA Data Bank. </li>
<li style="text-align: justify; ">The Canadian statute defines four types of information that may be communicated to law enforcement or another DNA databank including: </li>
</ol> <ol><ol>
<li>(<i>a</i>) if the DNA profile is not already contained in the data bank, the fact that it is not;</li>
<li style="text-align: justify; ">(<i>b</i>) if the DNA profile is already contained in the data bank, the information contained in the data bank in relation to that DNA profile;</li>
<li style="text-align: justify; ">(<i>c</i>) if the DNA profile is, in the opinion of the Commissioner, similar to one that is already contained in the data bank, the similar DNA profile; and</li>
<li style="text-align: justify; ">(<i>d</i>) if a law enforcement agency or laboratory advises the Commissioner that their comparison of a DNA profile communicated under paragraph (<i>c</i>) with one that is connected to the commission of a criminal offence has not excluded the former as a possible match, the information contained in the data bank in relation to that profile.</li>
</ol></ol>
<p>While the Draft Human DNA Profiling Bill provides for communication of only (a) and (b) by the DNA Data Bank Manager.</p>
<h3>Concerns with 35(1) and Best Practices</h3>
<p style="text-align: justify; ">The Centre for Internet and Society finds 35(1) problematic because a DNA profile is never a complete match, and is instead a scientific and statistical based probability. There are a number of steps that go into the analysis of a DNA profile. According to the US National Institute of Justice, these include: “<i>1) the isolation of the DNA from an evidence sample containing DNA of unknown origin, and generally at a later time, the isolation of DNA from a sample (e.g., blood) from a known individual; 2) the processing of the DNA so that test results may be obtained; 3) the determination of the DNA test results (or types), from specific regions of the DNA; and 4) the comparison and interpretation of the test results from the unknown and known samples to determine whether the known individual is not the source of the DNA or is included as a possible source of the DNA.</i>”<a name="fr1"></a></p>
<p style="text-align: justify; ">Though it is common for DNA Banks to communicate responses such as “match”, “no match”, or “partial match” or “inclusion”, “exclusion”, or “inconclusive” to inquiries received from law enforcement and other DNA Banks, this is not the case for communications to courts and tribunals. For example in England and Wales guidelines for presenting DNA evidence in court were laid out in the rule Rv. Dohemy and Adams (1997) 1 Cr. App. R. 396. Along with comprehensive guidelines on how experts should conduct themselves in court to prevent bias, the guidelines require the following information to be presented when DNA material is used as evidence in a case:</p>
<ul>
<li style="text-align: justify; ">“The scientist should adduce the evidence of the DNA comparisons between the crime stain and the defendant’s sample together with the calculations of the Random Match Probability. </li>
<li style="text-align: justify; ">Whenever DNA evidence is adduced the Crown should serve on the defence details as to how the calculations have been carried out which are sufficient to enable the defence to scrutinize the basis of the calculations. </li>
<li style="text-align: justify; ">The Forensic Science Service should make available to a defence expert, if requested, the databases upon which the calculations have been made. </li>
<li style="text-align: justify; ">The expert will, on the basis of empirical statistical data, five the jury the random occurrence rations - the frequency with which the matching DNA characteristics are likely to be found in the population at large. </li>
<li style="text-align: justify; ">Provided that the expert has the necessary data, it may then be appropriate for him to indicate how many people with the matching characteristics are likely to be found in the United Kingdom...”<a name="fr2"></a></li>
</ul>
<h3>Recommendations</h3>
<p style="text-align: justify; ">Given the influential weight that DNA evidence can have in a case, it is critical that the evidence is accurately presented to the court and other key stakeholders. The Centre for Internet and Society recommends that the Bill should distinguish the DNA Bank Manager’s response to law enforcement and other DNA Laboratory’s and the DNA Bank Manger’s response to courts and tribunals as below:</p>
<ul>
<li style="text-align: justify; "><strong>Response to Law enforcement agency and DNA Laboratory:</strong> The DNA Bank Manger should respond to a request from law enforcement or a DNA laboratory with either: "match" or "partial match" .</li>
<li style="text-align: justify; "><strong>Response to Court and tribunal:</strong> When DNA evidence is used in a court of law, the Bill should provide that the presentation should include:</li>
</ul>
<ol>
<li style="text-align: justify; ">The random match probability: The probability that the profile is in the sample from the individual tested if the individual tested has been selected at random. </li>
<li>The frequency with which the matching DNA characteristics are likely to be found in the population at large.</li>
<li>The probability of contamination. </li>
</ol>
<p style="text-align: justify; ">The Bill should also provide for the database upon which the calculations were based to be made available when requested. In addition, the Bill should provide for rules to be made prescribing the procedure for presentation.</p>
<ul>
</ul>
<hr />
<p>[<a name="fn1"></a>]. <a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx</a></p>
<p><a class="external-link" href="http://nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx">[<span>2</span>].</a> <a class="external-link" href="http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf">http://www.medicalgenomics.co.uk/pdf/Barrister_vol32-2007.pdf</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions'>https://cis-india.org/internet-governance/blog/comparision-of-draft-human-dna-profiling-bill-and-identification-act-revised-statute-of-canada-provisions</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2014-03-03T08:20:55ZBlog EntryCIS Welcomes 52nd Report on Cyber Crime, Cyber Security, and Right to Privacy
https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy
<b>The “Fifty Second Report on Cyber Crime, Cyber Security, and Right to Privacy” issued by the 2013 -2014 Standing Committee on Information Technology on February 12th 2014, highlights the urgent need for reform in India’s cyber security framework and the need for the much awaited privacy legislation to be finalized and made into a law. </b>
<hr />
<p class="callout" style="text-align: justify; "><a class="external-link" href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf"><b>Read the Fifty-Second Report on Cyber Crime, Cyber Security and Right to Privacy released by the Department of Electronics and Information Technology</b></a></p>
<hr />
<p style="text-align: justify; ">The Report consists of questions on the state of cyber security, cyber crime, and privacy posed by the Standing Committee and briefings and evidence provided by the Department of Electronics and Information Technology (DEITY ) in reply. The Report concludes with recommendations from the Standing Committee on the way forward. <b> </b></p>
<p style="text-align: justify; ">The Report represents an important step forward in the realm of privacy and cyber security in India as the evidence provided by DEITY clarifies a number of aspects of India’s present and upcoming cyber security policies and practices. Furthermore, the recommendations by the Standing Committee highlight present gaps and inadequacies in India’s policies and practices and needed steps forward– particularly the need for a privacy legislation in India in the context of cyber security, increased transactions of sensitive data, and governmental projects like the Unique Identification Project.</p>
<p style="text-align: justify; ">Broadly, the Standing Committee sought input from DEITY on eight different aspects of cyber crime, cyber security, and privacy in India - namely: the growing incidents of cyber crime and resulting financial loss, the challenges and constraints of cyber crime, the role of relevant governmental organizations in India with respect to cyber security, preparedness and policy initiatives, cyber security and the right to privacy, monitoring and grievance redressal mechanism, and education and awareness initiatives. The evidence provided by DEITY sheds light on the present mindset of the Government at this time, upcoming policies, and capacity and infrastructure gaps in India’s cyber security framework.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the Report and we would like to highlight and emphasize the following aspects:</p>
<p style="text-align: justify; "><b>Need for a privacy legislation and inadequacy of privacy provisions in Information Technology Act</b>: When asked by the Standing Committee about the right to privacy and cyber security, DEITY highlighted the fact that the Information Technology Act contains sufficient safeguards for privacy, and added that the Department of Personnel and Training (DoPT) is in the process of developing a privacy legislation that will address the general concerns of privacy in the country, and thus the two together will be sufficient. DEITY also noted that no study on the extent of privacy breach due to cyber crime in India has been conducted. In their recommendations, the Standing Committee noted that it was unhappy that the Government has yet to institute a legal framework on privacy, as the increased transfer of sensitive data and projects like the UID leave citizens vulnerable to privacy violations . Significantly, the Standing Committee recommended that though the DoPT is currently responsible for drafting the Privacy Bill, DEITY should coordinate with the DoPT and become involved in the process. <br /><br />As recognized by the Standing Committee, the Centre for Internet and Society would like to further emphasize the inadequacy of the provisions relating to privacy in the Information Technology Act, and the need for a privacy legislation in India. Inadequate aspects of the provisions have been pointed out by a number of sources. For example:</p>
<ol>
<li style="text-align: justify; "><a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">The Report of the Group of Experts on Privacy</a>: Prepared by the committee chaired by Justice AP Shah </li>
<li style="text-align: justify; "><a class="external-link" href="http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf">First Analysis of the Personal Data Protection Law in India</a>: Prepared by the University of Namur for the Commission of the European Communities Directorate General for Justice, Freedom, and Security</li>
<li style="text-align: justify; "><a href="https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011" class="external-link">Comments on the Information Technology</a> (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Prepared by the Centre for Internet and Society and submitted to the Committee on Subordinate Legislation of the 15th Lok Sabha</li>
<li style="text-align: justify; "><a class="external-link" href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1964013">India’s U-Turns on Data Privacy</a>: Prepared by Graham Greenleaf for the Privacy Laws & Business International Report, Issues 110 -114, 2011 </li>
</ol>
<p style="text-align: justify; "><b>Unclear Enforcement of 43A and associated rules</b>: In evidence provided, DEITY, while discussing section 43A and the associated Rules, noted that the Data Security Council of India and empanelled security auditors through CERT-in are responsible for the ‘auditing of best practice’s (pg 24). The Standing Committee did not directly respond to this comment.<br /><br />The Centre for Internet and Society would like to point out that DEITY did not clearly state that DSCI and the auditors through CERT-in were responsible for auditing organizational security practices for compliance with 43A. Furthermore, there is no publicly available information regarding audits ensuring compliance with 43A or information about the number of companies that have been found to be compliant. The Centre for Internet and Society would like to encourage that this information be made public, and compliance with 43A be enforced at the organizational level.</p>
<p style="text-align: justify; "><b>UIDAI not in compliance with 43A and associated Rules</b>: In evidence provided, DEITY noted that <i>“..Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...”</i> (pg.46) In their recommendations the Standing Committee did not directly address this comment, but did emphasize the need for a privacy legislation in light of the UID scheme.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates that the Standing Committee raised concern about the privacy implications of the UID project. We would like to highlight that the UIDAI is not a Body Corporate, and is not in compliance with 43A or the subsequent Rules in the Information Technology Act. Furthermore, the UID project involves the handling and processing of data in analogue and digital formats, and thus the privacy protections found under 43A are not sufficient.</p>
<p style="text-align: justify; "><b>The potential harms of metadata</b>: In evidence provided, the Department noted <i>“...we have been assured that whatever data has been gathered by them for surveillance relates only to the metadata..but we expressed that any incursion into the content will not be tolerated and is not tolerable from the Indian stand and point of view.”</i> (pg.47) The Standing Committee did not respond directly to this comment.</p>
<p style="text-align: justify; ">The Centre for Internet and Society would like to thank the Standing Committee for noting that the Government should have taken prior steps to preventing such an interception from taking place and for recommending the Department to take develop a policy to prevent future instances of interception from taking place. The Centre for Internet and Society would like to emphasize the importance and potential sensitive nature of metadata. Metadata can, and often does, disclose more about an individual or an activity than the actual content. For example, metadata can reveal identity, behaviour patterns, associations, and can enable the mapping of location and individual movement. As such, the Centre for Internet and Society would recommend that the Government of India treat access to all information generated by individual and governmental communications as sensitive and confidential.</p>
<p style="text-align: justify; "><b>Inadequacy of the Information Technology Act</b>: When asked by the Standing Committee if the Information Technology Act provided sufficient legal safeguards for cyber security and cyber crime, DEITY highlighted the fact that the Information Technology Act 2000 addresses all aspects of cyber crime in a comprehensive manner. DEITY also pointed out that the National Cyber Security Policy 2013 has provisions to enable the development of a legal framework, and the Department of Personnel and Training is in the process of drafting a privacy legislation for India that will fill any gaps that exist. In their recommendations, the Standing Committee recognized that the Information Technology Act does contain provisions that address cyber security and cyber crime, but, especially in the recent controversy over section 66A of the Act, Standing Committee emphasized the need for periodical reviews of the IT Act.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the fact that the Committee recognized the need for periodical review of the Information Technology Act, particularly in light of the controversy over 66 A. The Centre for Internet and Society would like to underscore the problems associated with 66A and would like to highlight that with regards to privacy and cyber security, the IT Act is not adequate and falls short in a number of areas. Research that the Centre for Internet and Society has conducted explaining these weaknesses can be found through the below links:</p>
<ol>
<li>Breaking Down Section 66A of the IT Act</li>
<li>Short note on IT Amendment Act, 2008</li>
</ol>
<p style="text-align: justify; "><b>Implications of domestic servers</b>: In response to questions posed by the Standing Committee about security risks associated with the importation of electronics and IT products, as well as the hosting of servers outside the country, DEITY noted the security risk of using foreign infrastructure and pointed to the hosting of servers in India as a solution to protecting the security and privacy of Indian data. The Standing Committee supported this initiative, and encouraged DEITY to take further steps towards securing and protecting the privacy of Indian data through the hosting of servers for critical sectors within India.</p>
<p style="text-align: justify; ">The Centre for Internet and Society appreciates the fact that the Standing Committee carefully limited the recommendation of locating servers in India to those in critical sectors, but would caution the Government of potential implications on users ability to freely access content and services, and highlight the fact that localization of servers is not a security solution in itself as a comprehensive solution and hardening of critical assets against cyber attacks is essential.</p>
<p style="text-align: justify; "><b>Incorporation of safeguards into MOU’s for international cooperation</b>: When asked about MOU’s for international cooperation that DEITY has engaged in with other countries, DEITY reported that currently CERT-in is entering into a number of MOU’s with other countries to facilitate cooperation for cyber security purposes. Presently there are MOUs with the US, Japan, South Korea, Mauritius, Kasakhstan, Finland, and the Canada Electronics and ICT sector. DEITY is also seeking MOUs with Malaysia, Israel, Egypt, Canada, and Brazil. The Standing Committee supported India entering into MOU’s for purposes of international cooperation, and encouraged DEITY to continue entering into MOU’s to mitigate jurisdictional complications when seeking to address issues related to cyber security.</p>
<p style="text-align: justify; ">The Centre for Internet and Society recognizes the importance of international cooperation when handling issues related to cyber security and cyber crime. To ensure that this process is in line with human rights, the Centre for Internet and Society would encourage DEITY to ensure that all MOU’s and/or Mutual Legal Assistance Agreements:</p>
<ul>
<li>Uphold the principle of dual criminality </li>
<li>Apply the highest level of protection for individuals in the case where the laws of more than one state could apply to communications surveillance </li>
<li style="text-align: justify; ">Are not used by any party involved to circumvent domestic legal restrictions on communications surveillance.</li>
<li>Are clearly documented and publicly available</li>
<li>Contain provisions guaranteeing procedural fairness.<a href="#fn1" name="fr1">[1] </a> </li>
</ul>
<p style="text-align: justify; "><b>Hactivism as a benefit to society</b>: In evidence provided on page 14, DEITY, among other elements, referred to Hactivism as a societal challenge to securing cyber security and tackling cyber crime. The Standing Committee did not directly address this comment.</p>
<p style="text-align: justify; ">The Centre for Internet and Society would like to point out that hacktivism is a complex topic and consists of methods. Though some methods used by hacktivists are illegal, and some use hacktivism for censorship purposes and to target certain groups, other forms of hacktivism can benefit society and strengthen cyber security by finding and revealing vulnerabilities in a system, and bringing attention to illegal or violative practices.</p>
<p style="text-align: justify; ">This works towards ensuring that a system is adequately secure. Because of the dynamic nature of hacktivism, the Centre for Internet and Society believes that hacktivism needs to be evaluated on a case by case basis and the Government should not broadly label hacktivism as a challenge to cyber security and cyber crime.<a href="#fn2" name="fr2">[2] </a></p>
<p style="text-align: justify; ">Importance of the anonymous speech: In evidence provided, DEITY noted the threat to cyber security that the anonymous nature of the internet posed. This was reiterated by the Standing Committee in their recommendations.</p>
<p style="text-align: justify; ">While recognizing the potential threat to cyber security that the anonymous nature of the internet can pose, the Centre for Internet and Society would like to highlight the importance of anonymous speech online to an individual’s right to free expression.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">Recognizing the direct connection between a strong privacy framework and a strong cyber security framework, as security cannot be achieved without privacy, and recognizing the need for a privacy legislation in light of governmental projects like the UID, the Centre for Internet and Society welcomes <i>the Fifty Second Report on Cyber Crime, Cyber Security, and the Right to Privacy</i> and echoes the Standing Committees recommendation and emphasis on the need for a comprehensive privacy legislation to be passed in India.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. These safeguards are reflected in the principle of “safeguards for International Cooperation” found in the International Principles on the Application of Human Rights to Communications Surveillance” <a class="external-link" href="https://en.necessaryandproportionate.org/text">https://en.necessaryandproportionate.org/text</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. For more information about hacktivism see: Activism, Hacktivism, and Cyberterrorism. The Internet as a Tool for Influencing Foreign Policy. By Dorothy E. Denning. Georgetown University. Available at: <a class="external-link" href="http://www.iwar.org.uk/cyberterror/resources/denning.htm">http://www.iwar.org.uk/cyberterror/resources/denning.htm</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy'>https://cis-india.org/internet-governance/blog/cis-welcomes-fifty-second-report-on-cyber-crime-cyber-security-right-to-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2014-02-24T10:49:46ZBlog EntryGNI Assessment Finds ICT Companies Protect User Privacy and Freedom of Expression
https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression
<b>Elonnai Hickok analyses a public report recently published by GNI on the independent assessment process for Google, Microsoft, and Yahoo. The report finds Google, Microsoft, and Yahoo to be in compliance with the GNI principles on privacy and freedom of expression.</b>
<h3>Introduction</h3>
<p style="text-align: justify; ">In January 2014, the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">Global Network Initiative (GNI)</a> published t<a href="http://globalnetworkinitiative.org/sites/default/files/GNI%20Assessments%20Public%20Report.pdf">he <i>Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo</i></a><i>. </i>GNI is an industry consortium that was started in 2008 with the objective of protecting user’s right to privacy and freedom of expression globally. The main objectives of GNI are to provide a framework for companies that is based on international standards, ensure accountability of ICT companies through independent assessments, create opportunities for policy engagement, and create opportunities for stakeholders from multiple jurisdictions to engage in dialogue with each other. The Centre for Internet and Society, Bangalore, is a member of GNI. Companies based in India have yet to join as members to the GNI network.</p>
<h3 style="text-align: justify; ">Overview of the Public Report</h3>
<p style="text-align: justify; ">The Public Report provides an overview of assessments completed on the practices and policies of Google, Yahoo, and Microsoft from 2011 - 2013 to measure company compliance with the <a href="http://www.globalnetworkinitiative.org/sites/default/files/GNI_-_Principles_1_.pdf">GNI principles</a> on freedom of expression and privacy. The principles lay out broad guidelines that member companies should seek to incorporate in their internal and external practices and speak to freedom of expression, privacy, responsible company decision making, multi – stakeholder collaboration, and organizational governance, accountability, and transparency. The GNI principles have also been developed with <a href="https://globalnetworkinitiative.org/sites/default/files/GNI_-_Implementation_Guidelines_1_.pdf">Implementation Guidelines</a> to provide companies with a framework for companies to respond to government requests. The assessment carried out by GNI reviewed cases in each company pertaining to governmental: blocking and filtering, takedown requests, criminalization of speech, intermediary liability, selective enforcement, content surveillance, and requests for user information.</p>
<p style="text-align: justify; ">Importantly, the assessment undertaken by GNI finds Yahoo, Microsoft, and Google to be in compliance with the GNI principles on freedom of expression and privacy. The Report highlights practices by the companies that work to protect freedom of expression and privacy such as conducting human rights impact assessments, issuing transparency reports, and notifying affected users when content is removed, have been, adopted by these companies. For example, Google conducts Human Rights Impact Assessments to assess potential threats to freedom of expression and privacy. Google also has in place internal processes to review governmental requests impacting freedom of expression and privacy, and the legal team at Google prepares a “global removal report” to provide a bird’s eye view of trends emerging from content removal requests. If Google has the email address of a user who’s posted content is removed, Google will often notify the user and directs the user to the Chilling Effects website. Google has also published a transparency report since 2010. Like Google, Microsoft conducts Human Rights Impact Assessments before making decisions on whether to incorporate certain features into its platforms when operating in high risk markets. Microsoft has also issued two global law enforcement requests reports in 2013. Yahoo has established a Business and Human Rights Program to ensure responsible actions are taken by the company with regards to freedom of expression and privacy, and now issues transparency reports about government requests. Yahoo’s Public Policy team also engages in dialogue with governments on an international level about existing and proposed legislation impacting and implicating privacy and freedom of expression.</p>
<p style="text-align: justify; ">The Report highlights challenges to compliance with the GNI principles that companies face – namely legal restraints and mandates that they are faced with. On the issue of transparency, the assessment found that companies do not disclose information when there are legal prohibitions on such disclosure, when users privacy would be implicated, when companies choose to assert attorney client privilege, and when trade secrets are involved. Despite this, the assessment found that companies do deny and push back on governmental requests impacting freedom of expression and privacy for reasons such as the request needed clarification and modification, or that the request needed to follow established procedure.</p>
<p style="text-align: justify; ">A number of findings came out of the assessments undertaken for the Report including:</p>
<ol>
<li style="text-align: justify; ">As demonstrated by the lack of ability to access information about secret national security requests, and the lack of ability for companies to disclose information on this topic there is a dire need for governments to reform surveillance policy and law impacting freedom of expression and privacy.</li>
<li style="text-align: justify; ">The implementation of the GNI Principles is challenging when a company is undergoing an acquisition. In this scenario, contractual provisions limiting third party disclosure are critical in ensuring protection of privacy and free expression rights. </li>
<li style="text-align: justify; ">Companies need to pro-actively and on an ongoing basis internally review governmental restrictions on content to determine if it is in compliance with the commitment made by that company to the GNI Principles. </li>
</ol>
<p style="text-align: justify; ">The assessment resulted in GNI defining a number of actionable (non-binding) recommendations for companies such as:</p>
<ul>
<li>Improving the integration of human rights considerations in the due diligence process with respect to the acquiring and selling companies. </li>
<li>Consider the impact of hardware on freedom of expression and privacy.</li>
<li>Improve external and internal reporting.</li>
<li>Review employee access to user data to ensure that employee access rights are restricted by both policy and technical measures on a ‘need to know’ basis across global operations. </li>
<li>Review executive management training.</li>
<li>Improve stakeholder engagement.</li>
<li>Improve communication with users. </li>
<li>Increase sharing of best practices. </li>
<li>The GNI principles are focused on freedom of expression and privacy and are based on internationally recognized laws and standards for human rights. </li>
</ul>
<h3>NSA leaks, global push for governmental surveillance reform, and the Public Report</h3>
<p style="text-align: justify; ">With special attention given to the various companies responses to the NSA leaks, the Report notes that in response to the NSA leaks the assessed companies have issued public statements and filed legal challenges with the US government and filed suit with the FISA Court seeking the right to disclose data relating to the number of FISA requests received with the public. All three companies have also supported legislation and policy that would allow for such transparency. Furthermore in December 2014, the companies , along with other internet companies, developed and issued the five <a href="http://reformgovernmentsurveillance.com/">Principles on Global Government Surveillance Reform</a>. Similar to other efforts to end mass and disproportionate surveillance, such as the <a href="https://en.necessaryandproportionate.org/text">Necessary and Proportionate</a> principles, the Principles on Global Government Surveillance Reform address: Limiting Governments’ Authority to Collect Users’ Information, Oversight and Accountability, Transparency about Government Demands, Respecting the Free Flow of Information, Avoiding Conflicts Among Governments. Other companies that signed these principles include AOL, Facebook, LinkedIn, and Twitter.</p>
<p style="text-align: justify; ">Along these lines, on January 14<sup>th</sup>, GNI released the statement <a href="http://globalnetworkinitiative.org/news/surveillance-reforms-protect-rights-and-restore-trust">“Surveillance Reforms to Protect Rights and Restore Trust”, </a> urging the U.S Government to review and enact surveillance legislation that incorporate a ‘rights based’ approach to issues involving national security. In the statement, GNI specifically recommends the Government to action and: end mass collection of communications metadata, protect and uphold the rights of non-Americans, continue to increase transparency of surveillance practices, support the use of strong encryption standards.</p>
<h3 style="text-align: justify; ">Conclusion and way forward</h3>
<p style="text-align: justify; ">Looking ahead, GNI is planning on developing and implementing a mechanism to address effectively address consumer engagement and complaints issued by individuals who feel that GNI member companies have not acted consistently with the commitments made as a GNI member. GNI is also looking to expand work around public policy and surveillance.</p>
<p style="text-align: justify; ">The Public Report on the Independent Assessment Process for Google, Microsoft, and Yahoo is an important step towards ensuring ICT sector companies are accountable to the public in their practices impacting freedom of expression and privacy. The assessment comes at a time when ICT companies often find themselves stuck between a rock and a hard place – with Governments issuing surveillance and censorship demands with mandates for non-disclosure, and the public demanding transparency, company resistance to such demands from the Government, and a strong commitment to users freedom of expression and privacy. Hopefully, the GNI assessment is and will evolve into a middle ground for ICT companies – where they can be accountable to the public and their customers and compliant with Governmental mandates in all jurisdictions that they operate in. It will be interesting to see if in the future Indian companies join GNI as members and being to adopt the GNI principles and undergo GNI assessments.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression'>https://cis-india.org/internet-governance/blog/gni-assessment-finds-ict-companies-protect-user-privacy-and-freedom-of-expression</a>
</p>
No publisherelonnaiFreedom of Speech and ExpressionInternet Governance2014-01-20T06:17:46ZBlog EntryInternet Privacy in India
https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india
<b>Internet privacy encompasses a wide range of issues and topics. It can be understood as privacy rights that an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing. </b>
<h3 style="text-align: justify; ">The Changing Nature of Information</h3>
<p style="text-align: justify; ">For example – the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing and re-defining personal data and what type of protections personal data deserves and can be given. For example, seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual. From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation.</p>
<h3 style="text-align: justify; ">The Blurry Line between the Public and Private Sphere</h3>
<p style="text-align: justify; ">The above example also highlights how the “sphere” of information on the internet is unclear i.e. is information posted on social media public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc. or is information posted on social media – private, and thus requires authorization for further use. For example, in India, in 2013 the Mumbai police established a “social media lab” for the purposes of monitoring and tracking user behavior and activities.<a href="#fn1" name="fr1">[1] </a></p>
<p style="text-align: justify; ">Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information. Similar dilemmas have been dealt with by other countries. For example, in the U.S, individuals have contested the use of their tweets without permission,<a href="#fn2" name="fr2">[2]</a> while courts in the US have ruled that tweets, private and public, can be obtained by law enforcement with only a subpoena, as technically the information has been shared with another entity, and is therefore no longer private.<a href="#fn3" name="fr3">[3] </a>Indian Courts have yet to deal directly with the question of social media content being public or private information.</p>
<h3 style="text-align: justify; ">The Complication of Jurisdiction</h3>
<p style="text-align: justify; ">The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in. Thus, for example an Indian using Gmail, will be subject to the laws of the United States. On one hand this could be seen as a positive, if one country has stronger privacy protections than another, but could also be damaging to privacy in the reverse situation – where one company has lower privacy standards and safeguards. In addition to the dilemma of different levels of protection being provided over data as it flows through different jurisdictions, access by law enforcement to data stored in a different jurisdiction, or data from one country accessible to law enforcement because it is being processed in their jurisdiction, are two other complications that arise. These complications cannot be emphasized more than with the case of the NSA Leaks. Because Indian data was residing in US servers, the US government could access and use the data with no obligation to the individual.<a href="#fn4" name="fr4">[4] </a>In response to the NSA leaks, the government of India has stated that all facts need to be known before any action is taken, while citizens initially sought to hold the companies who disclosed the data to US security agencies such as Google, Facebook etc. accountable.<a href="#fn5" name="fr5">[5] </a></p>
<p style="text-align: justify; ">Despite this, because the companies were acting within the legal limits of the United States where they were incorporated, they could not be held liable. In response to the dilemma, many actors in India, including government and industry are asking for the establishment of 'domestic servers'. For example, Dr. Kamlesh Bajaj, CEO of Data Security Council of India was quoted in Forbes magazine promoting the establishment of India centric social media platforms.<a href="#fn6" name="fr6">[6] </a>Similarly, after the PRISM scandal became public, the National Security Advisor requested the Telecom Department to only route traffic data through Indian servers.<a href="#fn7" name="fr7">[7] </a></p>
<p style="text-align: justify; ">In these contexts, the internet is a driving force behind a growing privacy debate and awareness in India.</p>
<h3 style="text-align: justify; ">Current Policy for Internet Privacy in India</h3>
<p style="text-align: justify; ">Currently, India's most comprehensive legal provisions that speak to privacy on the internet can be found in the Information Technology Act (ITA) 2000. The ITA contains a number of provisions that can, in some cases, safeguard online privacy, or in other cases, dilute online privacy. Provisions that clearly protect user privacy include: penalizing child pornography,<a href="#fn8" name="fr8">[8]</a>penalizing, hacking and fraud<a href="#fn9" name="fr9">[9] </a>and defining data protection standards for body corporate.<a href="#fn10" name="fr10">[10] </a></p>
<p style="text-align: justify; ">Provisions that serve to dilute user privacy speak to access by law enforcement to user's personal information stored by body corporate<a href="#fn11" name="fr11">[11]</a> collection and monitoring of internet traffic data<a href="#fn12" name="fr12">[12] </a>and real time monitoring, interception, and decryption of online communications.<a href="#fn13" name="fr13">[13]</a> Additionally, legislative gaps in the ITA serve to weaken the privacy of online users. For example, the ITA does not address questions and circumstances like the evidentiary status of social media content in India, merging and sharing of data across databases, whether individuals can transmit images of their own “private areas” across the internet, if users have the right to be notified of the presence of cookies and do-not track options, the use of electronic personal identifiers across data bases, and if individuals have the right to request service providers to take down and delete their personal content.</p>
<h3 style="text-align: justify; ">Online Data Protection</h3>
<p style="text-align: justify; ">Since 2010, there has been an increasing recognition by both the government and the public that India needs privacy legislation, specifically one that addresses the collection, processing, and use of personal data. The push for adequate data protection standards in India has come both from industry and industrial bodies like DSCI – who regard strong data protection standards as an integral part of business, and from the public, who has voiced increasing concerns that governmental projects, such as the UID, involved with collecting, processing, and using personal data are presently not adequately regulated and are collecting and processing data in such a way that abuses individual privacy. As mentioned above, India's most comprehensive data protection standards are found in the ITA and are known as the Information Technology “Reasonable security practices and procedures and sensitive personal data or information” Rules 2011.<a href="#fn14" name="fr14">[14] </a></p>
<p style="text-align: justify; ">The Rules seek to provide rights to the individual with regards to their information and obligate body corporate to take steps towards protecting the privacy of consumer's information. Among other things, the Rules define “sensitive personal information' and require that any corporate body must publish an online privacy policy, provide individuals with the right to access and correct their information, obtain consent before disclosing sensitive personal information ' except in the case of law enforcement, provide individuals the ability to withdraw consent, establish a grievance officer, require companies to ensure equivalent levels of protection when transferring information, and put in place reasonable security practices. Though the Rules are the strongest form of data protection in India, they have not been recognized by the European Union as meeting the EU standards of “data secure”<a href="#fn15" name="fr15">[15] </a>and many gaps still exist. For example, the Rules apply only to:</p>
<ul style="text-align: justify; ">
<li>Body corporate and not to the government</li>
<li>Electronically generated and transmitted information </li>
<li>A limited scope of sensitive personal information.</li>
<li>A body corporate when a contractual agreement is not already in place.</li>
</ul>
<p style="text-align: justify; ">These gaps leave a number of bodies unregulated and types of information unprotected, and limits the scope of the Rules. It is also unclear to what extent companies are adhering to these Rules, and if they are applying the Rules only to the use of their website or if they are also applying the Rules to their core business practices.</p>
<h3 style="text-align: justify; ">Cyber Cafés</h3>
<p style="text-align: justify; ">In 2011 the Guidelines for Cyber Café Rules were notified under the Information Technology Act. These Rules, among other things, require Cyber Café’s to retain the following details for every user for a period of one year: details of identification, name, address, contact number, gender, date, computer terminal identification, log in time, and log out time. These details must be submitted to the same agency as directed, on a monthly basis.<a href="#fn16" name="fr16">[16]</a> Cyber Cafes must also retain the history of websites accessed and logs of proxy servers installed at the cyber café for a period of one year.<a href="#fn17" name="fr17">[17] </a>Furthermore, Cyber Café’s must ensure that the partitions between cubicles do not exceed four and half feet in height from floor level.<a href="#fn18" name="fr18">[18]</a> Lastly, the cyber café owner is required to provide every related document, register, and information to any officer authorized by the registration agency on demand.<a href="#fn19" name="fr19">[19] </a>In effect, the identification and retention requirements of these rules both impact privacy and freedom of expression, as cyber cafes users cannot use the facility anonymously and all their information, including browser history, is stored on an a-priori basis. The disclosure provisions in these rules also impact privacy and demonstrate a dilution of access standards for law enforcement to users internet communications as the provision does not define:</p>
<ul style="text-align: justify; ">
<li>An authorization process by which the registration agency follows to authorize individuals to conduct inspections.</li>
<li>Circumstances on which inspection of a Cyber Café by an authorized officer is necessary and permissible.</li>
<li>The process for which information can be requested, and instead vaguely requires cyber café owners to disclose information “on demand”.</li>
</ul>
<h3 style="text-align: justify; ">Online Surveillance and Access</h3>
<p style="text-align: justify; ">The ITA also allows for the interference of user privacy online by defining broad standards of access to law enforcement and security agencies, and providing the government with the power to determine what tools individuals can use to protect their privacy. This is most clearly demonstrated by provisions that permit the interception, monitoring, and decryption of digital communications<a href="#fn20" name="fr20">[20]</a> provide for the collection and monitoring of traffic data<a href="#fn21" name="fr21">[21]</a> and allow the government to set the national encryption standard.<a href="#fn22" name="fr22">[22] </a>In particular, the structure of these provisions and the lack of safeguards incorporated, serve as a dilution to user privacy. For example, though these provisions create a framework for interception they are missing a number of internationally recognized safeguards and practices, such as notice to the individual, judicial oversight, and transparency requirements. Furthermore, the provisions place extensive security and technical obligations on the service provider – as they are required to extend all facilities necessary to security agencies for interception and decryption, and hold the service provider liable for imprisonment up to seven years for non-compliance. This creates an environment where it is unlikely that the service provider would challenge any request for access or interception from law enforcement. Interception is also regulated through provisions and rules under the Indian Telegraph Act 1885 and subsequent ISP and UAS licenses.</p>
<h3 style="text-align: justify; ">Scope of Surveillance and Access</h3>
<p style="text-align: justify; ">The extent to which the Government of India lawfully intercepts communications is not entirely clear, but in 2011 news items quoted that in the month of July 8,736 phones and e-mail accounts were under lawful surveillance.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Though this number is representative of authorized interception, there have been a number of instances of unauthorized interceptions that have taken place as well. For example, in 2013 it was found that in Himachel Pradesh 1371 phones were tapped based on verbal approval, while the Home Ministry had only authorized interception of 170.<a href="#fn24" name="fr24">[24] </a>This demonstrates that there are instances of when existing safeguards for interception and surveillance are undermined and highlights the challenge of enforcement for even existing safeguards.</p>
<p style="text-align: justify; ">Demonstrating the tensions between right to privacy and governmental access to communications, and at the same time highlighting the issue of jurisdiction was the standoff between RIM/BlackBerry and the Indian Government. For several years, the Indian Government has requested that RIM provide access to the company’s communication traffic, both BIS and BES, as Indian security agencies have been unable to decrypt the data. Solutions that the Indian Government has proposed include: RIM providing the decryption keys to the government, RIM establishing a local server, local ISPs and telcos developing an indigenous monitoring solution. In 2012, RIM finally established a server in Mumbai and in 2013 provided a lawful interception solution that satisfied the Indian Government.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; ">The implementation of the Central Monitoring System by the Indian Government is another example of the Government seeking greater access to communications. The system will allow security agencies to bypass service providers and directly intercept communications. It is unclear if the system will provide for the interception of only telephonic communications or if it will also allow for the interception of digital communications and internet traffic. It is also unclear what checks and balances exist in the system. By removing the service provider from the equation the government is not only taking away a potential check, as service providers can resist unauthorized requests, but it is also taking away the possibility for companies to be transparent about the interception requests that they comply with.</p>
<h2 style="text-align: justify; ">Future frameworks for privacy in India: The Report of the Group of Experts on Privacy</h2>
<p style="text-align: justify; ">In October 2012 the Report of the Group of Experts on Privacy was published by a committee of experts chaired by Justice A.P. Shah.<a href="#fn26" name="fr26">[26] </a>The report creates a set of recommendations for a privacy framework and legislation in India. Most importantly, the Report recognizes privacy as a fundamental right and defines nine National Privacy Principles that would apply to all data controllers both in the private sector and the public sector. This would work to ensure that businesses and governments are held accountable to protecting privacy and that legislation and practices found across sectors, states/governments, organizations, and governmental bodies are harmonized. The privacy principles are in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security.</p>
<p style="text-align: justify; ">The Report also envisions a system of co-regulation, in which the National Privacy Principles will be binding for every data controller, but Self Regulatory Organizations at the industry level will have the option of developing principles for that specific sector. The principles developed by industry must be approved by the privacy commissioner and be in compliance with the National Privacy Principles. In addition to defining principles, the Report recommends the establishment of a privacy commissioner for overseeing the implementation of the right to privacy in India and specifies that aggrieved individuals can seek redress either through issuing a complaint the privacy commissioner or going before a court.</p>
<p style="text-align: justify; ">The nine national privacy principles include:</p>
<p style="text-align: justify; ">Notice: Principle 1: Notice</p>
<p style="text-align: justify; ">A data controller shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:</p>
<p style="text-align: justify; "><b>During Collection </b></p>
<ul>
<li>What personal information is being collected; </li>
<li>Purposes for which personal information is being collected; </li>
<li>Uses of collected personal information; </li>
<li>Whether or not personal information may be disclosed to third persons; </li>
<li>Security safeguards established by the data controller in relation to the personal information; </li>
<li>Processes available to data subjects to access and correct their own personal information; </li>
<li>Contact details of the privacy officers and SRO ombudsmen for filing complaints. </li>
</ul>
<p style="text-align: justify; "><b>Other Notices</b><br />Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Service providers would have to explain how the information would be used and if it may be disclosed to third persons such as advertisers, processing Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: A telecom service provider must make available to individuals a privacy policy before any personal information is collected by the company. The notice must include all categories of information as identified in the principle of notice. For example, the service provider must identify the types of personal information that will be collected from the individual from the initial start of the service and during the course of the consumer using the service. For a telecom service provider this could range from name and address to location data. The notice must identify if information will be disclosed to third parties such as advertisers, processers, or other telecom companies. If a data breach that was the responsibility of the company takes place, the company must notify all affected customers. If individuals have their personal data accessed or intercepted by Indian law enforcement or for other legal purposes, they have the right to be notified of the access after the case or other purpose for the data has been met.</p>
<h3 style="text-align: justify; ">Principle 2: Choice and Consent</h3>
<p style="text-align: justify; ">A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required.</p>
<p style="text-align: justify; "><b>Example of implementation</b>: If an individual is signing up to a service, a company can only begin collecting, processing, using and disclosing their data after consent has been taken. If the provision of information is mandated by law, as is the case for the census, this information must be anonymized after a certain amount of time if it is published in public databases. If there is a case where consent is not possible, such as in a medical emergency, consent before processing information, does not need to be taken.</p>
<h3 style="text-align: justify; ">Principle 3: Collection Limitation</h3>
<p>A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information to open an account for a potential customer, they must collect only that information which is absolutely necessary for the purpose of opening the account, after they have taken the consent of the individual.</p>
<h3 style="text-align: justify; ">Principle 4: Purpose Limitation</h3>
<p style="text-align: justify; ">Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a bank is collecting information from a customer for opening a bank account, the bank can only use that information for the purpose of opening the account and any other reasons consented to. After a bank has used the information to open an account, it must be destroyed. If the information is retained by the bank, it must be done so with consent, for a specific purpose, with the ability of the individual to access and correct the stored information, and in a secure fashion.</p>
<h3 style="text-align: justify; ">Principle 5: Access and Correction</h3>
<p style="text-align: justify; ">Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data. Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: An individual who has opened a bank account, has the right to access the information that was initially provided and subsequently generated. If there is a mistake, the individual has the right to correct the mistake. If the individual requests information related to him that is stored on a family member from the bank, the bank cannot disclose this information without explicit consent from the family member as it would impact the privacy of another.</p>
<h3 style="text-align: justify; ">Principle 6: Disclosure of Information</h3>
<p style="text-align: justify; ">A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a website, like a social media site, collects information about how a consumer uses its website, this information cannot be sold or shared with other websites or partners, unless notice of such sharing has been given to the individual and consent has been taken from the individual. If websites provide information to law enforcement, this must be done in accordance with laws in force, and cannot be done through informal means. The social media site would be prohibited from publishing, sharing, or making public the personal information in any way without obtaining informed consent.</p>
<h3 style="text-align: justify; ">Principle 7: Security</h3>
<p style="text-align: justify; ">A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a company is a telecommunication company, it must have security measures in place to protect customers communications data from loss, unauthorized access, destruction, use, processing, storage, modification, denanonmyization, unauthorized disclosure, or other forseeable risk. This could include encrypting communications data, having in place strong access controls, and establishing clear chain of custody for the handling and processing communications data.</p>
<h3 style="text-align: justify; ">Principle 8: Openness</h3>
<p style="text-align: justify; ">A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: If a hospital is collecting and processing personal information of, for example, 1,000 patients, their policies and practices must reflect and be applicable to the amount, sensitivity, and nature of information that they are collecting. The policies about the same must be made available to all individuals – this includes individuals of different intelligence, skill, and developmental levels.</p>
<h3 style="text-align: justify; ">Principle 9: Accountability</h3>
<p style="text-align: justify; ">The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.</p>
<p style="text-align: justify; "><b>Example of Implementation</b>: To ensure that a hospital is in compliance with the national privacy principles, it must undertake activities like running trainings and providing educational information to employees on how to handle patient related information, conducting audits, and establishing an officer or body for overseeing the implementation of privacy.</p>
<h3 style="text-align: justify; ">Public Discourses on Privacy</h3>
<p style="text-align: justify; ">In India, there have been a number of important discourses related to privacy around various projects and topics. These discourses have been driving public awareness about privacy in India, and represent an important indication of public perception of privacy and privacy concerns.</p>
<h3 style="text-align: justify; ">The Unique Identification Project</h3>
<p style="text-align: justify; ">One of these discourses is a public dialogue and debate on the Unique Identification Project. Since 2009 the Government of India has been rolling out an identity scheme known as UID or Aadhaar. The scheme is applicable to all residents in India, and seeks to provide individuals with an identity based on their fingerprints, iris scans, and photograph. The project has been heavily supported by some, and at the same time, heavily critiqued by others. Of those critiquing the project, which included a Parliamentary Standing Committee on Finance,<a href="#fn27" name="fr27">[27] </a>privacy has been a driving force behind the concerns about the project. Arguing that not only does the UID Bill not have sufficient privacy safeguards in its provisions<a href="#fn28" name="fr28">[28] </a>but the design of the project and the technology of the project places individual privacy at risk. For example, the project relies on centralized storage of biometrics collected under the scheme; it does not account for or address how transaction data that is generated each time an individual identifies himself/herself with the UID will be stored, processed, and shared; and does not provide adequate security measures to protect sensitive information like biometrics.</p>
<h3 style="text-align: justify; ">The Human DNA Profiling Bill</h3>
<p style="text-align: justify; ">In 2006 the Department of Biotechnology piloted a draft human DNA Profiling Bill with the objective of creating DNA databases at the national and regional levels, and enabling the creation and storage of DNA profiles for forensic purposes. Since 2006 there have been two more drafts of the bill released to the public, and an expert committee has been created to finalize the text of the bill. Individuals, including the Centre for Internet and Society, publicly raising concern about the bill, cite a lack of privacy safeguards in the provisions, and expansive circumstances and reasons that the bill permits the creation and storage of DNA profiles.<a href="#fn29" name="fr29">[29]</a></p>
<h3 style="text-align: justify; ">Surveillance</h3>
<p style="text-align: justify; ">For many years there has been running public discourse about the surveillance that the Indian government has been undertaking. This discourse is growing and is now being linked to privacy and the need for India to enact a privacy legislation. As discussed above, the current surveillance regime is lacking on many fronts, while at the same time the government continues to seek greater interception powers and more access to larger sets of information in more granularity. Projects like the Central Monitoring System, NATGRID, and Lawful Interception Solutions have caused individuals to question the government on the proportionality of State surveillance and ask for a comprehensive privacy legislation that also regulates surveillance.</p>
<p style="text-align: justify; ">The need for strong and enforceable surveillance provisions is not unique to India, and in 2013 the International Principles on the Application of Human Rights to the Surveillance of Communications were drafted. The principles lay out standards that ensure that surveillance is in compliance with international human rights law and serve as safeguards that countries can incorporate into their regimes to ensure the same. The principles include: legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, safeguards against illegitimate access. Along with defining safeguards, the principles highlight the challenge of rapidly changing technology and how it is constantly changing how information can be surveilled by governments and what information surveilled by governments, and how information can be combined and analysed to draw conclusions about individuals.</p>
<h3 style="text-align: justify; ">A Privacy Legislation for India</h3>
<p style="text-align: justify; ">Since 2010, there has been a strong public discourse around the need for a privacy legislation in India. In November 2010, a “Privacy Approach” paper was released to the public which envisioned the creation of a data protection legislation. In 2011, the Department of Personnel and Training released a draft privacy bill that defined a privacy regime that encompassed data protection, surveillance, and mass marketing, and recognized privacy as a fundamental right.<a href="#fn31" name="fr31">[31] </a>In 2012 the Report of the Group of Experts on Privacy, as discussed above, was published.<a href="#fn32" name="fr32">[32] </a>Presently, the Department of Personnel and Training is drafting the text of the Governments Privacy Bill. In 2013, the Centre for Internet and Society drafted the Citizen’s Privacy Protection Bill – a citizen’s version of a privacy legislation for India.<a href="#fn33" name="fr33">[33]</a> From April 2013 – October 2013, the Centre for Internet and Society, in collaboration with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India, held a series of seven Privacy Roundtables across India. The objective of the Roundtables was to gain public feedback to a privacy framework in India. Topics discussed during the meetings included, how to define sensitive personal information vs. Personal information, if co-regulation should be a model adopted as a regulatory framework, and what should be the legal exceptions to the right to privacy.<a href="#fn34" name="fr34">[34]</a></p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">Clearly, privacy is an emerging and increasingly important field in India’s internet society. As companies collect greater amounts of information from and about online users, and as the government continues to seek greater access and surveillance capabilities, it is critical that India prioritizes privacy and puts in place strong safeguards to protect the privacy of both Indians and foreigners whose data resides temporarily or permanently in India. The first step towards this is the enactment of a comprehensive privacy legislation recognizing privacy as a fundamental right. The Report of the Group of Experts on Privacy and the government considering a draft privacy bill are all steps in the right direction.</p>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. http://www.zdnet.com/in/india-sets-up-social-media-monitoring-lab-7000012758/</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. http://www.techdirt.com/articles/20130203/18510621869/investigative-journalist-claims-her-public-tweets-arent-publishable-threatens-to-sue-blogger-who-does-exactly-that.shtml</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us</p>
<p style="text-align: justify; ">[<a href="#fr4" name="fn4">4</a>]. http://www.bbc.co.uk/news/technology-24744695</p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. http://www.thehindu.com/news/national/sc-to-hear-pil-on-us-surveillance-of-internet-data/article4829549.ece</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. http://forbesindia.com/article/checkin/indias-internet-privacy-woes/35971/1</p>
<p style="text-align: justify; ">[<a href="#fr7" name="fn7">7</a>]. http://www.thehindubusinessline.com/industry-and-economy/info-tech/route-domestic-net-traffic-via-india-servers-nsa-tells-operators/article5022791.ece</p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. ITA section 67</p>
<p style="text-align: justify; ">[<a href="#fr9" name="fn9">9</a>]. ITA section 43, 66, and 66F</p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Information Technology (Reasonable security practices and procedures and Sensitive personal data or information) Rules, 2011. section 6(1)</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Information Technology (Procedure and Safeguards for monitoring and collection of Traffic Data or other information) Rules 2009</p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn1">13</a>]. Information Technology (Procedure and Safeguards for intercepting, monitoring, and decryption) Rules 2009</p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Ibid footnote 6</p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. Business Standard. Data secure status for India is vital: Sharma on the FTA with EU. September 3rd 2013. Available at: http://www.business-standard.com/article/economy-policy/data-secure-status-for-india-is-vital-sharma-on-fta-with-eu-113090300889_1.html</p>
<p style="text-align: justify; ">[<a href="#fr16" name="fn16">16</a>]. Guidelines for Cyber Cafe Rules 5(2) & 5(3). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Guidelines for Cyber Cafe Rules 5(4)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Cafe Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Guidelines for Cyber Café Rules 5(6)</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Guidelines for Cyber Café Rules 7(1)</p>
<p style="text-align: justify; ">[<a href="#fr20" name="fn20">20</a>]. Ibid footnote 9</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Ibid footnote 8</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. ITA section 84A</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. Jain, B. 8,736 phone and e-mail accounts tapped by different government agencies in July. September 17th 2011. Available at: http://articles.economictimes.indiatimes.com/2011-09-17/news/30169231_1_phone-tap-e-mail-accounts-indian-telegraph-act</p>
<p style="text-align: justify; ">[<a href="#fr24" name="fn24">24</a>]. The Economic Times. Action to be taken in ‘phone tapping’ during BJP rule: Virbhadra Singh. March 6th 2013. Available at: http://articles.economictimes.indiatimes.com/2013-03-06/news/37500338_1_illegal-phone-virbhadra-singh-previous-bjp-regime</p>
<p style="text-align: justify; ">[<a href="#fr25" name="fn25">25</a>]. Chaudhary, A. BlackBerry’s Tussle with Indian Govt. Finally Ends; BB Provides Interception System. http://www.medianama.com/2013/07/223-blackberrys-tussle-with-indian-govt-finally-ends-bb-provides-interception-system/</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Report of the Group of Experts on Privacy. Available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. http://www.indianexpress.com/news/uid-bill-skips-vital-privacy-issues/688614/</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. http://www.epw.in/authors/elonnai-hickok</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf</p>
<p style="text-align: justify; ">[<a href="#fr31" name="fn31">31</a>]. http://www.iltb.net/2011/06/analysis-of-the-privacy-bill-2011/</p>
<p style="text-align: justify; ">[<a href="#fr32" name="fn32">32</a>]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</p>
<p style="text-align: justify; ">[<a href="#fr33" name="fn33">33</a>]. http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft</p>
<p style="text-align: justify; ">[<a href="#fr34" name="fn34">34</a>]. http://cis-india.org/internet-governance/blog/national-privacy-roundtable-meetings</p>
<p>
For more details visit <a href='https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india'>https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india</a>
</p>
No publisherelonnaiInternet Access2014-01-08T13:51:06ZPageCIS Supports the UN Resolution on “The Right to Privacy in the Digital age”.
https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d
<b>The United Nations adopted the resolution on the right to privacy recently. It recognised privacy as a human right, integral to the right to free expression, and also declared that mass surveillance could have negative impacts on human rights. </b>
<p style="text-align: justify; ">On <a class="external-link" href="https://www.un.org/News/Press/docs/2013/gashc4094.doc.htm">November 26, 2013</a>, the United Nations adopted a non-binding resolution on <a href="http://www.un.org/ga/search/view_doc.asp?symbol=A/C.3/68/L.45/Rev.1">The Right to Privacy in the Digital Age</a>. The resolution was drafted <a href="http://news.idg.no/cw/art.cfm?id=F0537DC8-A06C-E9D5-2EBACEA94829DAC1">by Brazil and Germany</a> and expressed concern over the negative impact of surveillance and interception on the exercise of human rights. The resolution was controversial as countries such as the US, the UK, and Canada opposed language that spoke to the right to <a href="http://www.theguardian.com/world/2013/nov/26/un-surveillance-resolution-human-right-privacy">privacy extending equally to citizens and non-citizens of a country. </a> The resolution welcomed the report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression that examined the implications of surveillance of communications on the human rights of privacy and freedom of expression.</p>
<p style="text-align: justify; ">The resolution made a number of important statements that India, as a member of the United Nations, and as a country in the process of implementing a number of surveillance projects, like the <a href="http://www.indexoncensorship.org/2013/11/india-online-report-freedom-expression-digital-freedom-3/">Central Monitoring System</a>, should take cognizance of, including in short:</p>
<ol>
<li style="text-align: justify; "><b>Privacy is a human right</b>: Privacy is a human right according to which no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence. </li>
<li style="text-align: justify; "><b>Privacy is integral to the right to free expression</b>: an integral component in recognizing the right to freedom of expression. </li>
<li style="text-align: justify; "><b>Unlawful and arbitrary surveillance violates the right to privacy and freedom of expression</b>: Unlawful and/or arbitrary surveillance, interception, and collection of personal data are intrusive acts that violate the right to privacy and freedom of expression. </li>
<li style="text-align: justify; "><b>Exceptions to privacy and freedom of expression should be in compliance with human rights law:</b> Public security is a potential exception justifying collection and protection of information, but States must ensure that this is done fully in compliance with international human rights law. </li>
<li style="text-align: justify; "><b>Mass surveillance may have negative implications for human rights: </b>Domestic and extraterritorial surveillance, interception, and the collection of personal data on a mass scale may have a negative impact on individual human rights. </li>
<li style="text-align: justify; "><b>Equal protection for online and offline privacy:</b> The right to privacy must be equally protected online and offline.</li>
</ol>
<p>The resolution further called upon states to:</p>
<ol>
<li style="text-align: justify; ">Respect and protect the right to privacy, particularly in the context of digital communications.</li>
<li style="text-align: justify; ">To ensure that relevant legislation is in compliance with international human rights law</li>
<li style="text-align: justify; ">To review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</li>
<li style="text-align: justify; ">To establish and maintain effective domestic oversight mechanisms around domestic surveillance capable of ensuring transparency and accountability.</li>
</ol>
<p style="text-align: justify; ">The resolution finally calls upon the UN High Commissioner for Human Rights to present a report with views and recommendations on the protection and promotion of the right to privacy in the context of surveillance to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session and decides to examine “Human rights questions, including alternative approaches for improving the effective enjoyment of human rights and fundamental freedoms”.</p>
<p style="text-align: justify; ">The UN Resolution on the Right to Privacy in the Digital Age is a welcome step towards an international recognition of privacy as a human right in the context of communications and extra territorial surveillance. The Centre for Internet and Society encourages the Government of India to, as called upon in the Resolution, to review national procedures and practices around surveillance to ensure full and effective implementation of obligations under international human rights law.</p>
<p style="text-align: justify; ">Prior to the UN Resolution on “The Right to Privacy in the Digital Age”, a group of international NGO’s developed the <a href="https://en.necessaryandproportionate.org/TEXT">Necessary and Proportionate principles</a> that seek to form a backbone for a response to mass surveillance and provide a framework for governments to assess if domestic surveillance regimes are in compliance with international Human Rights Law. CIS has contributed to the process of developing these principles. The principles include legality, legitimate aim, necessity, adequacy, proportionality, competent judicial authority, due process, user notification, transparency, public oversight, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access. A<a href="https://en.necessaryandproportionate.org/take-action/digiges"> petition</a> to sign onto the principles and demand an end to mass surveillance is currently underway.</p>
<p style="text-align: justify; ">Both the Government of India and public of India should take into consideration the UN Resolution and the necessary and proportionate principles to reflect on how India’s surveillance regime and practices can be brought in line with international human rights law and understand where the balance is drawn for necessary and proportionate surveillance, specific to the Indian context.</p>
<p> </p>
<ol> </ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d'>https://cis-india.org/internet-governance/blog/cis-supports-the-un-resolution-on-201cthe-right-to-privacy-in-the-digital-age201d</a>
</p>
No publisherelonnaiSurveillanceInternet GovernancePrivacy2013-11-30T07:25:18ZBlog Entry