The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 71 to 85.
Privacy and Governmental Databases
https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases
<b>In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases. </b>
<h2>Government Databases and recommendations for privacy practices</h2>
<ol><li>
<p> <strong>Citizen-State relationships and privacy standards</strong><br />Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.</p>
</li><li>
<p><strong>Specific privacy policy </strong></p>
<p>Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:</p>
<ul><li>data collection</li><li>digitization</li><li>usage</li><li>storage</li><li>security</li><li>disclosure</li><li>retrieval</li><li>access (inter departmental and public)</li><li>anonymization, obfuscation and deletion.</li></ul>
</li><li>
<p><strong>Personal vs. personal sensitive and public vs. non-public data categories </strong></p>
<p>Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct</p>
<p>categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.</p>
</li><li>
<p><strong>Standardization of Privacy Policies and Access Control </strong></p>
<p>Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.</p>
</li><li>
<p><strong>Record of breach notification </strong></p>
<p>If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.</p>
</li><li>
<p><strong>Anonymization/obfuscation and deletion policies </strong></p>
<p>Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.</p>
</li><li>
<p><strong>Accountability for accuracy of data </strong></p>
<p>Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.</p>
</li><li>
<p><strong>Appropriate uses of government databases </strong></p>
<p>Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."</p>
</li><li>
<p><strong>Access, updation and control of personal information </strong></p>
<p>Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.</p>
</li></ol>
<p><strong>Bibliography </strong></p>
<ul><li>
<p>Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.</p>
</li><li>
<p>Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.</p>
</li></ul>
<ul><li>Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada</li></ul>
<p> joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases'>https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:41:38ZBlog EntryAn Open Letter to the Finance Committee: SCOSTA Standards
https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee
<b>The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.</b>
<h3>Introduction</h3>
<p>This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that <span class="Apple-style-span">Aadhaar</span> biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.</p>
<h3>A background of the two standards</h3>
<p>The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:</p>
<p>1. Compliant with the international standard ISO-7816 for smart cards.</p>
<p>2. Based on a public/private key and pin authentication factor</p>
<p>3. Authentication factor refers to an individuals keys, pass-phrases, and pin.</p>
<p>The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:</p>
<p>1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.</p>
<p>2. Based on a symmetric authentication factor</p>
<h3>A comparison of the two standards</h3>
<table class="plain">
<tbody>
<tr>
<td><b>Standard </b><br /></td>
<td><b>SCOSTA - MNIC smart card</b><br /></td>
<td><b>Aadhaar Biometric - UID number </b><br /></td>
</tr>
<tr>
<td><b>Architecture </b><br /></td>
<td><b>Decentralized </b><br />SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner <br /></td>
<td><b>Centralized</b><br />Aadhaar biometric standards require symmetric <br />authentication factors, and thus must be structured in a centralized manner <br /></td>
</tr>
<tr>
<td><b>Standards for Technology </b><br /></td>
<td><b>Open standard<br /></b>Creates security through transparency <br /></td>
<td><b>Closed standard </b><br />Creates security though obscurity <br /></td>
</tr>
<tr>
<td><b>Points of failure </b><br /></td>
<td><b>Multiple points of failure</b><br />The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.<br /></td>
<td><b>Single point of failure </b><br />The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost<br /></td>
</tr>
<tr>
<td><b>Impact on local industry </b><br /></td>
<td><b>Encourages</b><br />Open standards allow local industry to compete in manufacturing technology<br /></td>
<td><b>Discourages</b><br />Closed standards allow foreign players to monopolize the manufacturing of technology <br /></td>
</tr>
<tr>
<td><b>Cost analysis </b><br /></td>
<td><b>Cost effective </b><br />Increased competition keeps prices low <br /></td>
<td><b>Cost ineffective </b><br />Decreased competition keeps prices high<br /></td>
</tr>
<tr>
<td><b>Revocation</b></td>
<td><b>Revocable</b><br /> If the key pair and pin are stolen, a new set of passwords can be issued<br /></td>
<td><b>Permanent</b> <br />If the biometrics of an individual are stolen, they cannot be re-issued <br /></td>
</tr>
<tr>
<td><b>Possibility of fraudulent authentication </b><br /></td>
<td><b>Lower</b><br />A thief must steal your smart card and your secret pin to commit fraud <br /></td>
<td><b>Higher</b><br />A thief only needs to collect your fingerprints using a glass tumbler to commit fraud <br /></td>
</tr>
<tr>
<td><b>Viability of Technology</b></td>
<td><b>Proven effective for large populations </b><br /></td>
<td><b>Not proven effective for large populations</b><br /></td>
</tr>
</tbody>
</table>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee'>https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee</a>
</p>
No publisherelonnaiPrivacy2013-12-20T03:58:09ZBlog EntryDoes the UID Reflect India?
https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india
<b>On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events. </b>
<h3>Introduction</h3>
<p>Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit <em>Aadhaar</em> numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications. </p>
<h3>Benefits for the Poor</h3>
<p>Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.</p>
<h3>Appropriate Methodology</h3>
<p>Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.</p>
<h3>Legal Questions</h3>
<p>Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the <em>Aadhaar</em> number. Legally the UID Bill does not make the <em>Aadhaar</em> number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the <em>Aadhaar</em> number would be truly voluntary.</p>
<h3>Does India Comprehend what the UID Could Bring?</h3>
<p>Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.</p>
<h3>Conclusion</h3>
<p>One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india'>https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india</a>
</p>
No publisherelonnaiInternet Governance2012-03-22T05:45:32ZBlog EntryThe Privacy Rights of Whistleblowers
https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers
<b>The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy. </b>
<h3>Introduction<br /></h3>
<p>In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"</p>
<h3>What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks? <br /></h3>
<p>Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.</p>
<h3>Privacy and Whistleblowing</h3>
<p>As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.</p>
<hr />
<h3>Sources:</h3>
<ul><li> http://www.ctv.ca/generic/generated/static/business/article1833688.html</li></ul>
<ul><li> Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act. </li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers'>https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:47:16ZBlog Entry UID & Privacy - A Call for Papers
https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers
<b>Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010. </b>
<h3>Topic<br /></h3>
<p>Privacy and the UID</p>
<h3>Submission Deadline</h3>
<p> By 15 January 2010 to admin@privacyindia.org</p>
<h3>Word Length</h3>
<p> 3,000-5,000 words</p>
<h3>Topic Summary</h3>
<p>The <em>Aadhaar</em> scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate. </p>
<p>As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.</p>
<p>We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:</p>
<ul><li> Comparative studies on privacy and national identity card schemes in other countries</li></ul>
<ul><li> Privacy and the UID Bill </li></ul>
<ul><li> How will a project such as the UID change the relationship between the state, the individual, and the market? </li></ul>
<p>Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.</p>
<h3>Who We Are</h3>
<p> Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see <a class="external-link" href="http://www.privacyinternational.org/">www.privacyinternational.org</a>). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers'>https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T10:03:44ZBlog EntryShould Ratan Tata be Afforded the Right to Privacy?
https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata
<b>The Ratan Tata case has raised many important questions pertaining to privacy. This note looks at a few of those questions, and the debate that centers around them. </b>
<h3>Introduction</h3>
<p>In 2008 and 2009 conversations between Nira Radia- a professional corporate lobbyist , and many different individuals were intercepted by Income Tax officials. The interception was approved by the Ministry of Home Affairs. The interception was conducted for suspected tax evasion, possible money laundering, and restricted financial practices. The individuals included: A. Raja, the then Cabinet Minister of the Ministry of Communications and Information Technology; Ratan Tata, a client of Nira Radia and Chairman of the Tata group of companies; and various journalists including: Barkha Dutt, NDTV journalist alleged to have lobbied in support of A. Raja’s appointment as minister, and Vir Sanghvi, editor of the Hindustan Times alleged to have edited articles reducing the blame in the Nira Radia tapes. Earlier this year, these conversations were leaked to the media by an unknown source. The leak exposed a scam to manipulate the upcoming auctioning off of the 2G spectrum. In response to his leaked conversations with his consultant Nira Radia, Ratan Tata has filed a petition in the Supreme Court, claiming that his privacy has been invaded. Tata claims that the conversations were private, and that the tapes should be withdrawn from the public. He has not objected to the use of the tapes in court, acknowledging that they were obtained legally. On December 2nd the Supreme Court issued a notice to restrain the unauthorised publication of the intercepted tapes [1].</p>
<h3>Questions of Privacy</h3>
<p>The Nira Radia tapes case raises many important questions about privacy, wiretapping, transparency and ethics. It will be interesting to see how the court rules on different issues as the case progresses. First, it will be meaningful to see how the court responds to Tata’s plea for privacy. Indian courts have seen only a handful of cases that have directly appealed for protection of privacy as a fundamental right [2]. The type of privacy that has been invaded in this situation is unclear. If one looks at the privacy invasion as the data that was improperly protected, thus leading to the leak, the Tax Department may be found to have violated the informational privacy of Tata. If one looks at the invasion of privacy as the fact that personal contents of conversations were made public with the intent to expose the 2G scam, the claim is really one that his personal privacy has been invaded. Because India does not have a specific legislation on privacy, there is no clear definition of what privacy is, and whether or not Tata has had his privacy invaded. The decision by the courts will help to clarify how Indian society defines privacy, and where the line between public and private falls.</p>
<h3>Is the Information Public Knowledge?</h3>
<p>Whether or not the information intercepted in the phone conversations is public knowledge is an important question to answer. Though the 2G spectrum belongs to the people, and the conversations that were intercepted were planning a scam to defraud the Indian exchequer, the conversations were meant to be private. So, does the public have a right to know the content of the conversations, or does Ratan Tata have the right to privacy. The legislation that addresses the release of public information, and defines the categories of information that are considered to be private, is the Right to Information Act 2005. In India in recent years the right to knowledge has become a cornerstone of Indian civil liberties. The Right to Information Act 2005 embodies this liberty. The RTI mandates timely response to a citizen’s request for government information, and in its preamble affirms the policy that “…democracy requires an informed citizenry and transparency of information which are vital to its functioning and also to contain corruption and to hold Governments and their instrumentalities accountable to the governed”[3]. Under the Act, public information about or held by the government must be given to citizens upon request. Unlike in some countries, such as Canada, where the Right to Information is bolstered by a privacy law [4], the Indian legislation only contains sections that detail exceptions of data that cannot be disclosed, and the conditions for third party release. These exceptions are laid out in section 8, and in section 11 release of records to a third party is outlined.</p>
<h3>Are the Conversations Considered Public Knowledge and Would they be Released by an RTI?</h3>
<p>In a recent interview Prashant Bhushan, Supreme Court Advocate responded to a similar question with the following statement [5]:</p>
<p>Bhushan: <em>"Firstly the conversations which have come out in the public domain are not private conversations. They are conversations between Nira Radia with various public servants, with various journalists etc in her official capacity as a paid professional lobbyist and fixer for her principles.Therefore, there is hardly anything personal in these conversations. These are all professional conversations or conversations about deal making, fixing, subverting public policy etc.These conversations would be available to every citizen even under the Right to Information Act because the only objection that one could raise would be on the ground of 81(J) of the Right to Information Act which says - information which relates to personal information, the disclosure of which has no relationship to any public activity or interest. This information has relationship to public activity or interest. It also says - or which would cause unwarranted invasion of the privacy of the individual unless the public authority is satisfied, unless the information officer is satisfied that the larger public interest justifies the disclosure of such an information. In this case there is overwhelming public interest which warrants the disclosure of this information because this shows all kinds of deal making, fixing going on.</em>"</p>
<p>As Bushan has pointed out, it is possible to make the argument that the taped conversations should be categorized as public knowledge. They took place between public officials and journalists, and pertain to an issue that deeply impacts the public as a whole. Thus, a preliminary question that should be asked is whether Tata’s conversations would be revealed through an RTI, or whether his conversation would fall under the exemption of personal information found in section 8(j):</p>
<p align="left">“ <em>Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: </em></p>
<p align="left"><em>Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.</em>”</p>
<p>It is interesting to note the structure of this exemption. By the use of the word “or” the legislation suggests that unwarranted invasion of individual privacy may trigger the exemption, even if the information has a relationship to a public activity or interest. But the added caveat says that the larger public interest could justify the release of even purely private information. In addition, what constitutes “personal” information is never defined in the legislation. Thus, whether Tata’s conversations were personal in nature will have to be determined by the courts. Even if the nature of Tata’s wiretapped conversations was deemed not to be personal information, there still is an argument that they could still not be released to the public through an RTI, because Tata is not a Tax Department official, and the RTI requires disclosure of information about the Tax Department or officials in the tax department, not information about individuals who are under investigation by the Tax department.</p>
<h3>Was the Leak of the Tape Legal?</h3>
<p>Though the recording of the tapes by the Tax Department appears to be legal under the Telegraph Act 1885 section 5(2), the leak of the tape was not. Section 5(2) reads:</p>
<p><em>Section 5(2) – (2) On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order:</em></p>
<p><em>Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.</em></p>
<p>Though the Telegraph Act does not lay out specific procedures as to how wiretapped information is to be protected and secured, under section 23 and 24 it is not permitted for any person to illegally obtain the contents of an intercepted telegraph.</p>
<p><em>23. Intrusion into signal-room, trespass in telegraph office or obstruction – If any person –</em></p>
<p><em> 1. without permission of competent authority, enters the signal-room of a telegraph office of the Government, or of a person licensed under this Act, or</em></p>
<p><em> 2. enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or</em></p>
<p><em> 3. refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein,or</em></p>
<p><em> 4. willfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to five hundred rupees.</em></p>
<p><em> 24. Unlawfully attempting to learning the contents of messages – If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.</em></p>
<h3>Is it Important that the Leak was Illegal: A Question About the Public Good</h3>
<p>Clearly, from the above clauses, and in this situation, the Tax Department could argue that firstly they are not responsible for the leak, and that the illegality of the release of the tapes is subservient to the need to protect public safety. But what constitutes the greater good? In the case of Babu Ram 8 Verma Vs. State of Uttar Pradesh (1971) the Supreme Court has interpreted that the expression “public interest” as an act beneficial to the general public and an action taken for public purpose[6]. When considering whether the information is for the public good, the simple answer seems to be yes, the exposure of the 2G scam does benefit the “public interest”, but this should not be the complete answer. The reason that there are laws to regulate the dissemination of information is to protect information from being presented in a way that prejudices a person or discloses information that the public does not have a right to know. It is courts – not individuals – who should decide that the public does have a right to know before the information is disseminated. The information on the tapes could have been brought to the public’s attention by other - legal - means. Namely, the Tax Department could have filed for a new warrant to use the wiretapped information pertaining to the 2G scam, and disclosed the materials in connection with the Comptroller and Auditor General of India.</p>
<h3>Concerns about Privacy and the Right to Information: Not a Balance, but a Partnership</h3>
<p>The concern that privacy will be used to weaken transparency and to conceal crimes and corruption is often voiced as an obstacle to instituting a firm privacy law. Privacy is not a shield, and should not be misunderstood for one. A privacy legislation should bring clarity to the Right to Information. It should create a concise framework and understanding of what information is always acceptable to disclose, and what information is not acceptable to disclose without court authorization. In this situation, a privacy law could have clarified that conversations among private citizens are presumptively private, and that a court must determine otherwise. Though many people believe that the right to privacy and the right to transparency is a balance in which one right will always subordinate the other, this is not necessarily true. For instance if we look at how the two rights are at work when a voter is about to go to the polling stations, it is easy to see how they are related. The right to privacy can be understood, inter alia, as the right to be safe in one’s own identity. This is crucial for voting. If you look at this with focus on the candidate for election, there is a both the need to know as much information about that individual in order to make a informed choice, but if too much, unrelated information is known about a candidate, the election could be compromised.</p>
<h3>Conclusion: Will Ratan Tata be Afforded the Right to Privacy? </h3>
<p>In conclusion, the Nira Radia and Ratan Tata case raises many fundamental questions about privacy. In his white paper on privacy Vakul Sharma pointed out two important cases that could pertain to this situation. The first case is the case of People’s Union for Civil Liberties (PUCL) v. Union of India6, the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. Right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. The said right cannot be curtailed “except according to procedure established by law”[7]. It will be interesting to see if the courts follow a similar reasoning in this case, because though the tap was legal, the leak was illegal. Or,i f exceptions will be made under the assumption of the greater public good. The second important case was State v. Charulata Joshi, in which the Supreme Court held that “the constitutional right to freedom of speech and expression conferred by Article 19(1)(a) of the Constitution which includes the freedom of the press is not an absolute right. The press must first obtain the willingness of the person sought to be interviewed and no court can pass any order if the person to be interviewed expresses his unwillingness”[8]. Perhaps the courts will instead follow the logic in this case, and rule that the press had no right to publish the recorded and that by doing so, Ratan Tata’s privacy was invaded. No matter what the court’s decision is, it is clear that in light of the Nira Radia case, the UID, and many other arising situations – India needs to come to a decision about whether it wants privacy legislation, and, if so, what a privacy legislation should look like.</p>
<h3>Bibliography:</h3>
<p>1. http://en.wikipedia.org/wiki/2G_spectrum_scam http://economictimes.indiatimes.com/news/politics/nation/On-Tatas-plea-apex-court-sends-notice-to-govt /articleshow /7028580.cms</p>
<p> http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p> http://economictimes.indiatimes.com/news/politics/nation/Phone-taps-should-not-be-leaked-Chidambaram/articleshow/7036765.cm</p>
<p>2.The following are a few cases that pertain to privacy: R. Rajagopal v. State of Tamil Nadu5, People’s Union for Civil Liberties (PUCL) v. Union of India6, Gobind v. State of M.P.</p>
<p>3.The Right to Information Act 2005. Preamble.</p>
<p>4.The Canadian Access to Information Act was created in 1985, and is meant to complement the Privacy Act</p>
<p>5.http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html</p>
<p>6.Chakraborty, B.K. RTI and Protection of Individual Privacy. Tripura Information Commissio</p>
<p>7.Sharma, Vakul. White Paper on Privacy Protection in India. Section 5</p>
<p>8.Sharma, Vakul. White Paper on Privacy Protection in India. Section 3</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata'>https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata</a>
</p>
No publisherelonnai2012-03-21T10:03:20ZBlog EntryDSCI Information Security Summit 2010 – A Report
https://cis-india.org/internet-governance/blog/dsci-information-summit
<b>On 2 and 3 December 2010, the DSCI Information Security Summit 2010 took place in the Trident Hotel, Chennai. The two day summit included a broad spectrum of speakers/panels and topics, ranging from Securing Data & Systems to how to leverage the Cloud. The key speakers were Mr. Gulshan Rai, Director General, CERT-In, DIT, Mr. Rajeev Kapoor, Joint Secretary, DoPT, Govt. of India, Mr. Vakul Sharma, Advocate, Supreme Court of India and Dr. Kamlesh Bajaj, CEO, DSCI. Elonnai Hickok attended the summit.</b>
<p>Day one commenced with keynote address given by Jeffery Carr, Principal, GreyLogic, US who spoke about the gravity and risk that businesses and countries are facing in the digital age. A prominent theme in every presentation throughout the day was that India is facing both serious changes and challenges in light of evolving technology and global standards. A few specific challenges addressed were: encryption standards, the cloud, and securing business transactions. During the panel on encryption standards it was pointed out that India desperately needs a clear and comprehensive policy on encryption standards. Not only will this serve to facilitate transactions in India, but it will increase trade as foreign countries will have an enforced policy to ensure them that India is a safe destination to export to. The panel addressing the cloud focused on the challenges that businesses are facing in terms of the cloud in the Indian context. The three main challenges to the Cloud are: </p>
<ul><li>data security and privacy</li><li>compliance requirements</li><li>legal and contractual requirements <br /></li></ul>
<p>It was pointed out that in particular the Indian legal environment is serving as an obstacle to businesses wishing to move to the cloud, because of policies such as 40 bit encryption, and the Indian Telecom licensing policy which do not permit data transfer outside the cloud. Discussed also were measures that organisations have adopted to address data protection challenges in the cloud including: Including security & privacy clauses in the contractual agreement, making the Cloud service provider liable for a data breach, and auditing the services of Cloud service providers. Further information about the Cloud in the Indian context can be found in the DSCI report on <em>Data Protection Challenges in Cloud Computing: An Indian Perspective</em>. In the session on Securing Business Transactions, the challenge of protecting data and transactions was addressed. Many approaches were presented which explained how securing systems has moved away from using security enables software to security embedded hardware. The first day concluded with a presentation of DSCI Study Reports, including their recent study on the State of Data Security and Privacy in the Indian BPO Industry, Service Provider Assessment Framework – A Study Report, and the DSCI Security Framework.</p>
<p>The second day included presentations and panel discussions on privacy, the economics of security, and security technologies. The presentation on privacy presented many different viewpoints which ranged from the stance that India has been taking the right steps towards securing individuals privacy, and in contrast, that India has seen a dilution of privacy standards in the recent years. Contributing to the panel on privacy, Vakul Sharma, Supreme Court Advocate created a timeline of privacy in India, dispelling the popular belief that India does not have a history of privacy. Mr. Sharma closed his presentation with a challenge to those who believe that India does not have adequate privacy protections - to return to the clauses in the ITA, see if they are indeed being followed, and then assess if India does not have adequate privacy protection. The panel on the Economics of Security spoke about the rising costs of security in the wake of cyber crime, and the rising cost of not adequately protecting one’s business. In the session on Technology Challenges to Fight Data Breaches and Cyber Crimes a debate evoked on current measures taken by industry and government to fight cyber crime, and steps that still need to be taken. Opening the session was a presentation by Mr. West, member of the National Cyber Forensics Training and Alliance. His presentation introduced a new approach taken by the States in which key stakeholders including students and local law enforcement were engaged when tracking down cyber criminals. Mr. West demonstrated the success of the program, and explained how such an approach could be easily adapted in India. From different comments made by the panel and audience it was clear from this session that there is a need for the Indian government to be more invested in funding and supporting smaller cybercrime initiatives. Closing the day was a panel on E-Security for the next five years including the application and enforcement of DSCI’s best practices for a Security and Privacy Framework. </p>
<p>The event was sponsored by: Trusted Computing Group, Computer Associates, McAfee, Verizon Business, Tata Consultancy Services, Deloitte, (ISC)2, BlackBerry, ACS, CSC, Microsoft, RSA, and Intel.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/dsci-information-summit'>https://cis-india.org/internet-governance/blog/dsci-information-summit</a>
</p>
No publisherelonnaiInternet Governance2012-03-21T10:04:22ZBlog EntryPublic Statement to Final Draft of UID Bill
https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID
<b>The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill. </b>
<p>On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.<strong><br /></strong></p>
<ul><li>
<p><strong>Architecture</strong></p>
</li></ul>
<p>The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.</p>
<ul><li>
<p><strong>Scope</strong></p>
</li></ul>
<p>The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits</p>
<ul><li>
<p><strong>Voluntary and not Mandatory</strong></p>
</li></ul>
<p>The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the <em>Aadhaar</em> number is truly voluntary. </p>
<ul><li>
<p><strong>Inadequate Privacy Safeguards</strong></p>
</li></ul>
<p>The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.</p>
<ul><li>
<p><strong>Unwarranted Data Retention</strong></p>
</li></ul>
<p>The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.</p>
<ul><li>
<p><strong>Lack of accountability for all Actors</strong></p>
</li></ul>
<p>The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced. </p>
<ul><li>
<p><strong>Lack of Exceptions</strong></p>
</li></ul>
<p>The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of <em>Aadhaar</em> numbers or authentication of transactions. </p>
<ul><li>
<p><strong>Lack of Anonymity</strong></p>
</li></ul>
<p>The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an<em> Aadhaar </em>number should not be requested.</p>
<ul><li>
<p><strong>Inadequacy of Penalties</strong></p>
</li></ul>
<p>The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.</p>
<ul><li>
<p><strong>Unaffordability of Fees</strong></p>
</li></ul>
<p> It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated. </p>
<ul><li>
<p><strong>Lack of Rollback and Ombudsman Office</strong></p>
</li></ul>
<p>The Bill does not provide adequate redress for system/transaction errors and fraud. </p>
<ul><li>
<p><strong>Inappropriate Structure and Governance</strong></p>
</li></ul>
<p>The Bill does not provide appropriate judicial and parliamentary oversight.</p>
<p> Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant: </p>
<ul><li><strong>Definition of Resident</strong></li></ul>
<p>Section 2 (q): “resident” means an individual usually residing in a
village or rural area or town or ward or demarcated area (demarcated by
the Registrar General of Citizen Registration) within ward in a town
or urban area”<em><strong> </strong></em></p>
<p><em>Comment</em>: This section clarifies the definition of
‘resident’ from the draft Bill, which defined resident as an “individual
usually residing within the territory of India”. By specifying that
individuals in demarcated areas will not receive UID numbers, the
definition of resident is brought into line with the scope of the Bill
as laid out in the preamble. We see this change as a positive revision.<strong></strong></p>
<ul><li><strong>Prohibition of Dissemination of Information</strong></li></ul>
<p>Section 30 (3): “Notwithstanding anything contained in
any other law and save as otherwise provided in this Act, the Authority
or any of its officer or other employee or any agency who maintains the
Central Identities Data Repository shall not, whether during his service
as such or thereafter, reveal any information stored in the Central
Identities Data Repository to any person”</p>
<p><em>Comment</em>: This
section prohibits the dissemination of any information that is stored in
the Central Identities Data Repository. This prohibition extends to
anyone or any entity that handles information, and supersedes other laws
that might permit dissemination of information. We see this change as a
positive revision. <strong><br /></strong></p>
<ul><li><strong>Disclosure of Information in the Case of a National Security<br /></strong></li></ul>
<p> Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”<strong><em> </em></strong><em><br /></em></p>
<p><em>Comment</em>: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID'>https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:48:00ZBlog EntryConsumer Privacy - How to Enforce an Effective Protective Regime?
https://cis-india.org/internet-governance/blog/privacy/consumer-privacy
<b>In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.</b>
<h2> Who is a consumer? </h2>
<p>According to the Consumer Protection Act,1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. In the typical sense, when people think of themselves being a consumer, they might think about what they purchase through a physical exchange of money for goods or services, ranging from things as simple as fruit or grain to home appliances to cable television, either in a store or through an online exchange where you enter in your credit card information and receive your purchase. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors. Typical examples include hospitals, banks and telecommunications. </p>
<h2>What is Consumer Privacy and how may it be breached? </h2>
<p>Consumer privacy is concerned with the manner in which information disclosed by a consumer to a vendor is collected and used. Specific issues include: behavioral advertising, spyware, identity management, and data security/breach, Increasingly, data that is collected from consumers is stored in databanks. This is then used for both legitimate purposes (such as marketing, research etc) and illegitimate extraneous purposes (as when this data is sold in bulk to third parties). Additionally, the privacy of consumers may be compromised by actions of third parties that are facilitated by the negligence of the vendors (as for instance hacking into databases). The following international examples illustrate the kinds of privacy threats that the collection of data from consumers may pose<strong>[1]</strong></p>
<p><em>Example 1)</em> Toysmart – an online company- collected personal information from its users, promising to keep it private. In 2000, Toysmart entered bankruptcy and in an attempt to avoid losing everything tried to sell its database despite its strict privacy policy. This example illustrates how vendors may attempt to monetize the personal information of customers exceeding the terms of the contract entered into with them. </p>
<p> <em>Example 2)</em> In 2006 it was found that AOL's research site had a stored file that contained information collected from more than 600,000 users between March to May of 2006. Though the file did not indicate each user by name, it was eventually found that there was enough information to correlate specific individuals to their user number. The example of AOL’s demonstrates the danger of online privacy breaches through either oversight or negligence of the vendor in adopting adequate security measures. </p>
<p><em>Example 3)</em> Similar to the previous example ChoicePoint – an all-purpose information broker, whose database contains information about nearly every adult American citizen, had its system hacked. The thieves had access to the names, addresses and social security.</p>
<h2>How is consumer privacy protected- internationally ? </h2>
<h3>Broad guidelines: The OECD Privacy Guidelines <br /></h3>
<p>Though not a law, the OECD Guidelines drafted in 1980 provide a useful set of ‘fair information practices’ within which privacy of consumers may be evaluated. Briefly, the eight principles declared were: 1) Collection limitation principle (there should be limits to the collection of data), 2) data quality principle (data should be accurate and relevant to the purpose collected), 3) purpose specification principle, 4) use limitation principle, 5) security safeguards principle, 6) openness principle (there should be openness about data policies and changes thereof), 7) individual participation principle (enabling the individual to find out if data is being held about him and to obtain a copy of the data and make corrections) and 8) accountability principle <strong>[2]</strong>. </p>
<div>
<h3>The EU Data Protection Directive (Directive 95/46/EC) </h3>
</div>
<div>
<p>This is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes, specifically as it relates to processing, using, or exchanging such data. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. The basic guidelines of the Directive are <strong>[3]</strong>:</p>
</div>
<div>
<p> <strong><em>Notice: </em></strong>Data subjects must be notified of the: identity of the collector of their personal information, the uses for which the information is being collected, how the data subjects may exercise any available choices regarding the use or disclosure of personal information, where and to whom information may be transferred, and how data subjects may access their personal information. </p>
</div>
<div>
<p><em><strong>Consent</strong>:</em> “Unambiguous consent” of a data subject is required before any personal information may be processed. Special categories such as race, religion, political of philosophical beliefs, health, union membership, sex life, and criminal history have additional processing requirements.</p>
</div>
<p><strong><em>Consistency: </em></strong>Controllers and processors may only use information in accordance with the terms of the notice given.</p>
<div>
<p><strong><em>Access:</em></strong> Controllers must give data subjects access to personal information. </p>
<p><strong><em>Security</em></strong>:Organizations must provide adequate security, using both technical and other means to protect the confidentiality and integrity of the data. </p>
<p><strong><em>Onward transfer</em></strong>: Personal information may not be transferred to a third party unless that third party has signed a contract with the individual or organization which binds them to use the information consistently with the notice given to the data subjects.</p>
<p><strong><em>Enforcement</em></strong>: Each EU country has established a Data Protection Authority that has the power to investigate complaints, levy fines, initiate criminal actions, and demand changes in businesses information handling practices.</p>
</div>
<h3>Specific Sectoral Legislation and privacy policies </h3>
<div>
<div>
<p>The US takes a sectoral approach to protecting consumer privacy. Legislation that protects consumer privacy includes: Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act. Also, the CAN-SPAM Act bans the sending of commercial electronic messages that contain false information. The most comprehensive act for the consumer in the U.S is the Fair Credit Report Act, which was passed in 1970. Enforcement of the Act is vested in the Federal Trade Commission. The FCRA applies to how consumers information is collected and used, and applies to insurance, employment, and other non-credit consumer transactions. Under the FCRA the information that is protected is broadly defined as 1. Consumer Report- any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer' s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumers eligibility for credit, insurance, and employment purposes. </p>
</div>
</div>
<p> Furthermore the FCRA: </p>
<div>
<p> (a) provides the right for consumers to ensure the accuracy of their data. </p>
<p> (b) includes “right to know” provisions to enable consumers to know all information in their files </p>
<p> (c ) grants consumer dispute rights </p>
<p> (c) limits disclosure of information </p>
<p> (d) requires opt-out options <em></em><strong>[ibid 4]</strong></p>
<h2>Consumer Privacy in India </h2>
<div>
<p>Broadly, there are four potential avenues for the protection of consumer privacy in India. </p>
<p> 1. Individual organizations may voluntarily commit to protect the information of their clients through “Privacy Policies” These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation. </p>
<p> 2. Certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include derecognition and monetary penalties. </p>
</div>
<div>
<p> 3. Consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act in India. </p>
<p> 4. The newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data. </p>
</div>
<div>
<p>Each of these mechanisms is discussed in some details below: </p>
</div>
<h3>Privacy Policies: </h3>
<div>
<p>Several Indian companies have publicly stated privacy policies that they display on their website. We have profiled the privacy policies of two such companies as a sample. </p>
</div>
<div>
<p>Airtel: Defines personal information, informs users how their information will be used, describes which third parties will have access to your information, provides the ability to opt-out of commercial SMSs, provides an email address for privacy concerns. </p>
<p><em><strong>Rediff</strong></em>: Provides email for customer support, states what personal information is collected from you, what information is collected from you by cookies, what information is collected about you and stored, who will collect the information about you, how the information will be used to advertise to you and tailor to your preferences, states the rights that advertisers have to your information, disclaimer of responsibility for any other websites linked to the page, states that the information released in a chat room is considered public information, defines third party usage, defines security measures taken, lays out what choices the consumer has regarding collection and distribution of their information, contains opt-out clauses, defines personal information, defines cookies, explains that consumers have the ability to correct inaccurate information, requires youth consent <strong>[5]</strong>. </p>
</div>
<div>
<p><em>Examples of Indian organizations without a privacy policy on websites</em>: Canara bank, Andhra Bank, Indian railways, Air-India, BSNL, State Bank of India. </p>
<p><strong><em>Note: </em></strong>The International Guide to Privacy suggests the following be included in privacy policies: description of the personal information collected by the website and third party, description of how the information is used and list of parties with whom it may be shared, a list of the options available regarding the collection, use, sharing and distribution of the information, a description of how inaccuracies can be corrected, a list of the websites that are linked to the organization’s site and a disclaimer that the organization is not responsible for the privacy practices of other sites, a description of how the information is safeguarded (both physically and electronically) against loss, misuse, and alteration, consent for use of personal information <strong>[6]</strong>.</p>
</div>
<div>
<h3>Professional/Industrial Regulations </h3>
</div>
<div>
<p> As mentioned above, several professional bodies have privacy guidelines which their members must abide by. <em><br /></em></p>
<p><strong><em>Advocates</em></strong></p>
</div>
</div>
<p>Rules of Professional Conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege <strong>[7]</strong>.</p>
<p><strong><em> Medical Practitioners </em></strong></p>
<p>Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy, for instance : Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment <strong>[8]</strong>.</p>
<p><em> Article 2.2: </em> Requires physicians to maintain Confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate “whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed”. In such an instance, the rules advice the physician to “act as he would wish another to act toward one of his own family in like circumstances.”</p>
<p> <em>Article 7.14:</em> Enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –</p>
<p>1. in a court of law under orders of the Presiding Judge;</p>
<p> 2. in circumstances where there is a serious and identified risk to a specific</p>
<p>person and / or community; and</p>
<p> 3. notifiable diseases.</p>
<p> <em>Article 7.17</em>: Forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.</p>
<p><em>Important Case Law</em></p>
<p>In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The supreme court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was “subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others.”<strong>[9]</strong> This case raises certain questions which might be worthwhile to consider:</p>
<p>1. Are there other ways in which the situation could have been handled – such as through proper counselling. Furthermore, it is important to establish what the role of a hospital is, and where their primary interest lies in protecting their patient and their patients data, and take into consideration the importance of consent in handling and disclosing personal information.</p>
<p> 2. The argument that there is no absolute for privacy raises questions of who is determining the limits for disclosure of the man's HIV status. If his fiancé should be informed of his results, should his workplace , community, church? Do they face the same risks as his fiancé? Who is to be the judge of this risk?</p>
<h3>Banking and Telecom Industry</h3>
<p>The Banking and Telecom industry each have regulatory authorities which have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators. More details are provided in the accompanying briefs that exclusively deal with the banking and telecom industries.</p>
<p><strong><em>Consumer Protection Act 1986:</em></strong></p>
<p>The Consumer Protection Act which was enacted with the objective to provide for better protection of the interests of the consumer has emerged as a major source of relief to those who have suffered violations of their privacy {10}.</p>
<p><em>Important Case Laws </em></p>
<p>In Rajindre Nagar Post Office vs. Sh Ashok Kriplani a post master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave “deficiency in service” on the part of the appellant. It was ruled that the right of privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service. The importance of this case lies in the willingness of the courts to treat breach of privacy as a “deficiency of service”<strong>[11]</strong>.</p>
<p>In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing. Although this decision was reversed on appeal by the Delhi High Court it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.</p>
<h3>Information Technology Act 2000 (Amended 2008)</h3>
<p> In 2008, the Information Technology Act was amended to include an extremely salutary relief to people when a breach of privacy is occasioned by the leakage of data from computerised databases maintained by corporates. Thus, the newly inserted Section 43A states that if a “body corporate” is possessing, dealing, or handling any “sensitive personal data or information” in a computer resource which it owns, controls, or operates, and is negligent in implementing and maintaining “reasonable security practices and procedures” and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.</p>
<p>The Section further stipulates that the Central Government would come up with the reasonable security practices and procedures and would also define what constituted ‘personal sensitive information’.</p>
<p>Likewise, the newly introduced Section 72A declares that if “any person including an intermediary” secures access to any personal information about another person while providing services under the terms of lawful contract, and if he, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such information without the consent of the person concerned, or in breach of a lawful contract, he is liable to be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both <strong>[12]</strong>.</p>
<h2>Conclusion</h2>
<p>In conclusion it is important to consider many elements when looking at an effective protective regime for consumer privacy :<br />1. Is a comprehensive data protection of a sectoral approach more suited to the needs of India?</p>
<p>2. Does India want to become compliant with international standards for data protection ?</p>
<p>3. How will privacy policies be enforced and how will organizations be held accountable for protection of client privacy under the legislation ?</p>
<p>4. Will consumers be notified if their information is breached? If so – what will be included in the breach notification?</p>
<p>5. How can a legislation ensure that consumers are aware of their privacy rights?</p>
<p>6. How can a privacy legislation address the need for different levels of protection for different types of data?</p>
<h3>Bibliography:</h3>
<p class="discreet">1. Examples drawn from: Oussayef, karim. Selective Privacy: Facilitating Market Based Solutions to Data Breaches by Standardizing Internet Privacy Policies. 14 B U Journal Sci and Tech Law. 105 2008.</p>
<p class="discreet">2. Organisation for Economic Co-operatioin and <em>Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security ,</em> July 25, 2002</p>
<p class="discreet">3. Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processting of personal data and on the ree movement of data</p>
<p class="discreet">4. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg.34-4</p>
<p class="discreet">5<a href="http://www.rediff.com/w3c/policy.html">http://www.rediff.com/w3c/policy.html</a></p>
<p class="discreet">
6. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg. 161-164</p>
<p class="discreet">7. The Advocates Act 1961<a href="http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf">http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf</a></p>
<p class="discreet">8 Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations. Published in Part III, Section 4 of the Gazette of India, dated 6th April, 2002<a href="http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf">http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf</a>.</p>
<p class="discreet">9. (1998) 8 SCC 296:<a href="http://indiankanoon.org/doc/382721/">http://indiankanoon.org/doc/382721/</a></p>
<p class="discreet">10. Indian Consumer Protection Act 1986<a href="http://www.legalhelpindia.com/consumer-protection-act.html">http://www.legalhelpindia.com/consumer-protection-act.html</a>.</p>
<p class="discreet">11.<a href="http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm">http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm</a></p>
<p class="discreet">12. Information Technology Act 2000: Amended 2008<a href="http://www.mit.gov.in/content/information-technology-act">http://www.mit.gov.in/content/information-technology-act</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/consumer-privacy'>https://cis-india.org/internet-governance/blog/privacy/consumer-privacy</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:06:04ZBlog EntryPrivacy and Telecommunications: Do We Have the Safeguards?
https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications
<b>All of you often come across unsolicited and annoying telemarketing calls/ SMS's, prank calls, pestering calls for payment, etc. Do we have any safeguards against them? This blog post takes a look at the various rules and regulations under Indian law to guard our privacy and confidentiality.</b>
<h2>1 Introduction <br /></h2>
<p>With a subscriber base that stands at just over 700 million (TRAI, August 2010) the telecom industry has enjoyed spectacular success at absorbing Indians into its fold. Tele-density which, even as recently as in 2002 was stagnant in the low single-digits, today stands at a proud 59%. However far one could go today, it would seem one would never be too distant from a mobile phone.</p>
<p>While this extensive penetration has heralded an era of unprecedented access – truly a ‘communications revolution’ whose full effects it may still be too early to grasp – it has also led to the exposure of individuals to risks on a magnitude never before witnessed. Firstly, in the ordinary course of their business, telecom companies accumulate vast volumes of personal information about their customers including photocopies of identity documents, biographical information etc, which could potentially be misused; </p>
<p>Secondly, the fact that a vast amount of our communication now occurs with the involvement of electronic media has rendered us more susceptible to invasive surveillance - whether lawful or not;</p>
<p> Thirdly, much of our communication is now not merely ephemeral, but is stored in digital form for indefinite periods in corporate ‘data centers’.;</p>
<p> Lastly, owning a mobile phone not only enables us to communicate with our business partners and loved ones, but also forces us to engage with an incessant stream of ‘noise’ – telemarketing calls and SMSes, prank/hoax calls, calls pestering us for the payment of bills and offensive/threatening calls.</p>
<p>This note examines the kinds of safeguards that currently exist under Indian law to protect the privacy of telecom users. Broadly there are three streams of such protection</p>
<p>1) The Telegraph Act and Rules, which contains provisions that prohibit and penalize unlawful interception of communication. Furthermore, licenses issued to telecom service providers (TSPs) under this Act require TSPs to take measures to safeguard the privacy of their customers and confidentiality of communications.</p>
<p>2) The Telecom Regulatory Authority of India has issued various guidelines to TSPs many of which pertain to privacy. </p>
<p>3) The Consumer Protection Act provides customers with an avenue of redress in case of violation of their privacy. </p>
<p> The first two are described in greater detail in the paragraphs that follow. This is followed by a brief analysis of certain international norms</p>
<h2>2 Indian Regulatory Regime</h2>
<div> </div>
<h3>2.1 The Indian Telegraph Act and Rules</h3>
<p>First enacted in 1885, the Telegraph Act remains today on the statute books as the umbrella legislation governing most forms of electronic communications in India including telephones, faxes, the internet etc. The Act contains several provisions which regulate and prohibit the unauthorized interception or tampering with messages sent over ‘telegraphs’i. The following sections apply:</p>
<p><em>1) Section 5 empowers the Government to take possession of licensed telegraphs and to order interception of messages in cases of ‘public emergency’ or ‘in the interest of the public safety’. Interception may only be carried out pursuant to a written order by an officer specifically empowered for this purpose by the State/Central Government. The officer must be satisfied that “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence”ii</em></p>
<p><em>2) Section 23 imposes a fine of Rs. 500 on anyone who enters a telegraph office without proper authorization.</em></p>
<p><em>3) Section 24 makes it a criminal offence for a person to enter a telegraph office “with the intent of unlawfully learning the contents of any message”. Such a person may be punished with imprisonment for a term of up to a year.</em></p>
<p><em>4) Section 25 further imposes a criminal penalty on anyone who damages or tampers with any telegraph with the intent to prevent the transmission of messages or to acquaint himself with the contents of any message or to commit mischief. Punishment in this case could extend to 3 years imprisonment or a fine or both.</em></p>
<p><em>5) Section 26 makes it an offence for a Telegraph Officer to alter, unlawfully disclose or acquaint himself with the content of any message. This is also punishable with up to 3 years imprisonment or a fine or both.</em></p>
<p><em>6) Section 30 criminalizes the fraudulent retention or willful detention of a message which is intended for someone else. Punishment extends to 2 years imprisonment or fine or both.</em></p>
<h3>2.2 License Agreements</h3>
<p>Although the statute itself governs the actions of telecom operators in a general way, more detailed guidelines regulating their behavior are contained in the terms of the licenses issued to the telecoms which permit them to conduct businessiii. Frequently, these licenses contain clauses requiring telecom operators to safeguard the privacy of their consumers. A few examples include: </p>
<p><em>1) Clause 21 of the National Long Distance Licenseiv comprehensively covers various aspects of privacy including </em></p>
<p><em>a. Licensees to be responsible for the protection of privacy of communication, and to ensure that unauthorised interception of message does not take place.</em></p>
<p><em>b. Licensees to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and their business to whom they provide service and from whom they have acquired such information by virtue of those service and shall use their best endeavors to secure that :</em></p>
<p><em>i. No person acting on behalf of the Licensees or the Licensees themselves divulge or uses any such information except as may be necessary in the course of providing such service to the Third Party; and</em></p>
<p><em>ii. No such person seeks such information other than is necessary for the purpose of providing service to the Third Party.</em></p>
<p><em>c. The above safeguard however does not apply where </em></p>
<p><em>i. The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or </em></p>
<p><em>ii. The information is already open to the public and otherwise known.</em></p>
<p><em>d. The Licensees shall take necessary steps to ensure that the they and any person(s) acting on their behalf observe confidentiality of customer information.</em></p>
<p><em>2) Clause 39.2 of the Unified Access Service License and clause 42.2 of the Cellular Mobile Telephone Service licence enjoin the licensee to take all necessary steps to safeguard the privacy and confidentiality of any information about a third party, and its business to whom it provides the service. The Licensee is required to use its best endeavors to secure that no person acting on behalf of the licensee or the licensee divulges or uses any such information - except as may be necessary in the course of providing such service to the third party.</em></p>
<p><em>3) The Internet Services License Agreement (which authorizes ISPs to function in India) similarly contains provisions touching on privacy:</em></p>
<p><em>a) Part VI of the License Agreement gives the Government the right to inspect/monitor the TSPs systems. The TSP is responsible for making facilities available for such interception. </em></p>
<p><em>b) Clause 32 under Part VI contains provisions mandating the confidentiality of information. </em>These provisions are identical to those described in Clause 21 of the NLD License agreement (see above).</p>
<p><em>c) Clause 33.4 makes it the responsibility of the TSP to trace nuisance, obnoxious or malicious calls, messages or communications transported through its equipment.</em></p>
<p><em>d) Clause 34.8 requires ISPs to maintain a log of all users connected and the service they are using (mail, telnet, http etc.). The ISPs must also log every outward login or telnet through their computers. T</em>hese logs, as well as copies of all the packets originating from the Customer Premises Equipment (CPE) of the ISP, must be available in REAL TIME to Telecom Authority. The Clause forbids logins where the identity of the logged-in user is not known.</p>
<p><em>e) Clause 34.12 and 34.13 requires the Licensee to make available a list of all subscribers to its services on a password protected website for easy access by Government authorities. </em></p>
<p><em>f) Clause 34.16 requires the Licensee to activate services only after verifying the bonafides of the subscribers and collecting supporting documentation. There is no regulation governing how long this information is to be retained.</em></p>
<p><em>g) Clause 34.22 makes it mandatory for the Licensee to make available “details of the subscribers using the service” to the Government or its representatives “at any prescribed instant”. </em></p>
<p><em>h) Clause 34.23 mandates that the Licensee maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny by the Licensor for security reasons and may be destroyed thereafter unless directed otherwise by the licensor”. </em></p>
<p><em>i) Clause 34.28 (viii) forbids the licensee from transferring the following information to any person/place outside India:</em></p>
<p><em>j) Any accounting information relating to subscriber (except for international roaming/billing) (</em>Note: it does not restrict a statutorily required disclosure of financial nature)<em> ; and</em></p>
<p><em>k) User information (except pertaining to foreign subscribers using Indian Operator’s network while roaming).</em></p>
<p><em>l) Clause 34.28(ix) and (x) require the TSP to provide traceable identity of their subscribers and on request by the Government must be able to provide the geographical location of any subscriber at any given time. </em></p>
<p><em>m) Clause 34.28(xix) stipulates that “in order to maintain the privacy of voice and data, monitoring shall only be upon authorisation by the Union Home Secretary or Home Secretaries of the States/Union Territories”.</em> (It is unclear whether this is to operate as an overriding provision governing all other clauses as well)</p>
<h3>2.3 TRAI Regulations and Directions</h3>
<p>The Telecom Regulatory Authority of India was established by statute in 1997 to safeguard interests of consumers while simultaneously nurturing conditions for growth of telecommunications in the country. The Authority has issued several regulations on various subjects which are binding on TSPs. The following regulations touch on the subject of privacy:</p>
<h3>2.4 Unsolicited Commercial Communications Regulation</h3>
<p>In 2007, the Authority introduced the Telecom Unsolicited Commercial Communications Regulations which were aimed at creating a mechanism for registering requests of subscribers who did not wish to receive unsolicited commercial communications. </p>
<p>* The regulations define “unsolicited commercial communication” as any message, through telecommunications service, which is transmitted for the purpose of informing about, or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive, </p>
<p>* The following categories of message are excluded</p>
<p> (i) any message under a specific contract between the parties to such contract; or </p>
<p> (ii) any messages relating to charities, national campaigns or natural calamities transmitted on the directions of the Government or agencies authorized by it for the said purpose; </p>
<p> (iii) any message transmitted, on the directions of the Government or any authority or agency authorized by it, in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality;</p>
<p>* The regulations specified a procedure for initiation of complaints by consumers and for their adjudication and disposal. </p>
<p>* Telemarketers who initiate unsolicited commercial communication with a person who has opted not to receive such communications face a fine of Rs. 500 per call/SMS as well as disconnection of their telephone services. </p>
<p>* The regulations require the TSPs to maintain confidentiality of all information submitted by the subscribers for the purposes of the ‘Do not Call Registry’.</p>
<h3>2.5 Privacy and Confidentiality Direction </h3>
<p>In February 2010, the TRAI issued a direction seeking to implement the privacy and confidentiality related clauses in the service providers’ licenses (see previous sections). Accordingly by this direction, the TRAI ordered all service providers to “put in place an appropriate mechanisms, so as to prevent the breach of confidentiality on information belonging to the subscribers and privacy of communication”. All service providers were required by this regulation to submit a report to the TRAI giving details of measures so adopted. </p>
<h2>3 International Norms</h2>
<h3>3.1 Telecommunications in the EU </h3>
<p>In 2006, the European Union adopted Directive 2006/24/EC which mandated member states to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. The directive permits police and security agencies to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information would only be granted through a court order. In 2002 the Directive adopted the Privacy and Electronic Communications Directive. The ECD regulates the electronic communications sector and addresses issues such as: the retention of data, the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories. </p>
<p>Art 10(1) of the German Constitution holds “The secrecy of letters, as well as of the post and telecommunications, is inviolable”. However, in 1968 an amendment was introduced which permitted (1) surveillance to occur without the affected person ever being informed of it; and (2) surveillance without judicial review, but through “a review of the</p>
<p>case by bodies and auxiliary bodies appointed by Parliament.”These measures could only be invoked in order to protect “the free democratic basic order or the existence or security of the Federation or a state.”</p>
<h3>3.2 Telecommunication in the United States </h3>
<p>In the United States telecommunications are regulated by the Federal Communications Commission. Specifically the FCC regulates how telecommunications carriers and providers of cable television use customer personal information, cable subscriber information, and telemarketing and junk fax activities. Every company that participates in telemarketing must comply with the FCC's rules. The main legislation used to regulate telecommunication carriers is the Federal Communication Act. The Act applies to how carriers may use and disclose “Customer Proprietary Network Information” which includes billing information, type of telecommunications service used, and the types of calls customers tend to make. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. The FCC does though provide, what is known as a “total service approach”, exception to these rules - that allows carriers to use CPNI to market to existing customers. Also, under the Act, cable providers are required to provide to their subscribers detailed notice about the collection and use of information, and gather consent before collecting, distributing, or disclosing information. Additionally, customers are granted access to their information, and information must be destroyed after it has served the purpose for which it is collected. The Act further requires that carriers must provide customer notice and the opportunity to opt out of marketing. </p>
<p>The Telephone Consumer Protection Act applies to U.S companies that tele-market to consumers for commercial purposes. The rules require that phone calls are not permitted before 8:00 am or after 9:00 pm, the company must keep an internal record of consumer who ask not to be called again, and the company must refrain from sending commercial faxes without the recipient's consent. Telephone monitoring and recording are regulated in each state. Many states follow a system known as “one-party consent”, which permits a party to record a telephone conversation without the other party's consent. Only eleven states require consent of all parties before a telephone conversation is recorded (ibid Westby, International Guide to Privacy, 2004). </p>
<h2>4 Discussion</h2>
<p>The Indian Constitution does not, as in certain other countries (Eg. Germany), contain express language upholding the right to privacy in telecommunications. This absence has not however hindered the Supreme Court from reading in the right to privacy into the Fundamental Right to Life. Various judicial decisions as well as statutes affirm this right to privacy in telecommunications. In conclusion, we would like to provide a quick FAQ on privacy in telecommunications that draws on the foregoing analysis of Indian Law.v </p>
<p>(1) To what extent is there legal protection for customer information (such as one’s name, address, telephone number, or non-dynamic IP address); </p>
<p>As mentioned above, it is fairly easy for enforcement agencies to obtain this data. ISPs are required to make available much of this data on a website for the government to access at all times. Such access may be gained without judicial scrutiny and without even any showing of suspicion.</p>
<p>(2) The extent of legal protection for connection data (such as the telephone numbers called; time and length of connection; one’s dynamic IP address) and the content of telecommunications </p>
<p>Targeted surveillance or wiretapping is only possible following the procedure laid out in the Telegraph Rules which specify the manner in which such an order may be made, the review procedure and the maximum permissible duration of surveillance. </p>
<p> (3) the legal requirements placed on telecommunications providers for data retention or data erasure; </p>
<p>The ISP License agreement requires the ISP to maintain “all commercial records with regard to the communications exchanged on the network” for a period of “at least one year for scrutiny. No definition is provided of what these commercial records would include or exclude. There is no information on the extent to which ISPs in India currently comply with this requirement and whether they follow any data erasure procedures. </p>
<h2>Questions: </h2>
<p>Will a privacy legislation address data retention for the Telecom sector? </p>
<p>Will a privacy legislation regulate the monitoring and tapping of phones? </p>
<h3>End Notes </h3>
<p><span class="Apple-tab-span"></span>i‘Telegraph’ is defined widely in the Act to include any “apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature” thus covering most known mediums of communication. </p>
<p>ii<span class="Apple-tab-span"> </span> In 1997, the Supreme Court of India held in PUCL v. Union of India that the interception of communications under this section was unlawful unless carried out according to procedure established by law. Since no Rules had been prescribed by the Government specifying the procedure to be followed, the Supreme Court framed guidelines to be followed before tapping of telephonic conversation. These guidelines have been substantially incorporated into the Indian Telegraph Rules in 2007. Rule 419A stipulates the authorities from whom permission must be obtained for tapping, the manner in which such permission is to be granted and the safeguards to be observed while tapping communication. The Rule stipulates that any order permitting tapping of communication would lapse (unless renewed) in two months. In no case would tapping be permissible beyond 180 days. The Rule further requires all records of tapping to be destroyed after a period of two months from the lapse of the period of interception.</p>
<p>iii<span class="Apple-tab-span"> </span> Section 4 of the Telegraph Act forbids the establishment of any telegraph service (including, as mentioned earlier, all telephony, internet etc) without obtaining a license from the Central Government.</p>
<p>iv<span class="Apple-tab-span"> </span> Issued to TSPs who offer long distance telephony in India</p>
<p>v<span class="Apple-tab-span"> </span> These questions drawn from a template provided in Schwartz, Paul M. “German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance.” Hastings Law Journal 54 (August 25, 2003): 751.</p>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications'>https://cis-india.org/internet-governance/blog/privacy/privacy-telecommunications</a>
</p>
No publisherelonnai2012-03-21T10:06:48ZBlog EntryPrivacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection?
https://cis-india.org/internet-governance/blog/privacy/privacy-banking
<b>Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.</b>
<p><span class="Apple-style-span">
</span></p>
<h2>1. Introduction</h2>
<p>Banking is one of the most at risk sectors for privacy violations due to the sensitive, and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts, and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures. </p>
<h2>2. Examples of privacy violations in the banking sector: </h2>
<p>There have been many instances in which one of the above violations has occurred. The examples below demonstrate that a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming a privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.</p>
<h3>2.1 Bank of America: </h3>
<p>An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of 35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy polices, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy <strong>[1]</strong>.</p>
<div>
<p> This example raises the question of who should be regulating the banking sector? If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted ie can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The example also demonstrates:</p>
<div>
<ul style="list-style-type: square;"><li>
<p>The need for a customers personal data to be distinguished between public and non-public information.</p>
</li><li>
<p>The need for opt out options for customers, so they can choose if personal information is shared with non-affiliated third parties.</p>
</li><li>
<p>The need for restrictions on re-disclosure and re-use of transferred or disclosed data </p>
</li></ul>
<h3>2.2 Punjab National Bank </h3>
<p>In 2008 in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether a privacy legislation should require that employees in the financial sector go through training on privacy procedures <strong>[2]</strong>. </p>
<div>
<p>This example further demonstrates the need for: </p>
<ul><li>Specific guidelines to the instances in which each type of information can be disclosed.</li><li>Appropriate notice should be given to costumers for the disclosure of personal information. Notices of disclosure should include: initial privacy notices of the financial institutions policies and practices with respect to the disclosure and protection of personal information, annual notices. If there are exceptions to be made, these should be clearly established.</li></ul>
</div>
</div>
</div>
<h3>2.3 Canara Bank</h3>
<p>In the case of Canara Bank vs. DistRegistrar and Collector the district Registrar, entered onto Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play<strong>[3]</strong>. This case demonstrates that context is a crucial element of protecting privacy and defining the right to privacy, and raises the question of how a privacy legislation should define context for the financial sector. </p>
<h2>3. What are the current privacy standards for the banking sector in India? </h2>
<p>Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector. </p>
<div>
<div>
<ul style="list-style-type: square;"><li>
<p>What are the rules and restrictions placed on banks that relate to confidentiality and secrecy?</p>
</li><li>
<p> What are the exceptions to the obligations of secrecy?</p>
<h3>3.1.<span class="Apple-tab-span"> </span>Customary/Statutory Banking Law</h3>
</li></ul>
</div>
</div>
<div>
<p>Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 – Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 – Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided<strong> [4]</strong>. </p>
</div>
<p><em> Section 44. Obligation as to fidelity and secrecy: </em>Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.</p>
<p> In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, a customer owned 261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in 1978, he tendered these notes to the bank along with the requisite declaration and instricted the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec. 226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act , 2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22 of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:</p>
<div>
<p>(a) required under the provisions of this Act </p>
<p>(b) made with the express or implied consent of the system participant concerned </p>
<p>(c) in obedience to the orders passed by a court of competent jurisdiction </p>
<p>(d) in obedience of a statutory authority in exercise of the powers conferred by a statute.</p>
</div>
<h3> 3.2 Reserve Bank of India regulations </h3>
<p>The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. </p>
<p>In 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.</p>
<p>Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.</p>
<h3>3.3<span class="Apple-style-span"><strong> </strong></span>What legislation applies to data protection in the banking sector?</h3>
<p>Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.</p>
<h2>4. International Regulation of Privacy in Banks: </h2>
<p><em>The EU: </em>The EU Data Protection Directive is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes,specifically as it relates to processing, using, or exchanging such data <strong>[5]</strong><span class="Apple-style-span">.</span> The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. For example in the UK the financial sector is regulated by the Banking Act of 2009<span class="Apple-style-span">, </span>but financial data, along with other data is monitored by the UK data regulator.</p>
<p class="MsoBodyText"> <em>The US: </em>Though the United States has many acts regulating the financial sector, the main legislation though is the Gramm-Leach-Bliley Act<strong> [6]</strong>. The GLBA imposes obligations and restrictions on financial institutions. The act defines:</p>
<ul><li> The entities covered in the act</li><li> Classifications of data and restrictions based on type of data</li><li> Acceptable and non-acceptable forms of disclosure</li><li> Opt out requirements protocols and procedures</li><li> Notice requirements</li><li> Acceptable and non-acceptable marketing activities</li><li> Measures that should be taken to safeguard information</li><li> Methods of enforcement.</li></ul>
<h2> Questions to Consider:</h2>
<ul><li>Should financial information be separated into categories based on level of privacy risk?</li><li>Should financial information be treated to a greater level of security?</li><li>Should organizations who commit data breaches in the financial sector receive more severe sanctions?</li><li>Should a privacy legislation create a standardized privacy policy for the financial sector?</li><li>Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? </li></ul>
<p class="MsoBodyText"> </p>
<h2>Bibliography</h2>
<p class="MsoBodyText">1. <a href="http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices">http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices</a></p>
<p class="MsoBodyText">2.<a href="http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm">http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm</a></p>
<p class="MsoBodyText">3.(2005) 1 SCC 496: AIR 2005 SC 186</p>
<p class="MsoBodyText">4. <span class="Apple-style-span">One of the landmark cases on banking customs related to secrecy is the Court of Appeal case of Tournier v. National Provincial and Union Bank of England decided in 1924. The court upheld the general duty of secrecy arising out of a contract between the banker and the customer and held that the breach of it may give rise to a claim for substantial damages if injury has resulted from the breach. It is, however, not an absolute duty but qualified and is subject to certain reasonable exceptions. These exceptions have been incorporated into Indian law (see the Shankarlal Agarwalla case below)</span></p>
<p class="MsoBodyText"><span class="Apple-style-span">5.</span>Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.89-102</p>
<p class="MsoBodyText">6.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.18</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-banking'>https://cis-india.org/internet-governance/blog/privacy/privacy-banking</a>
</p>
No publisherelonnai2012-03-21T10:07:08ZBlog EntryC.I.S Responds to Privacy Approach Paper
https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper
<b>A group of officers was created to develop a framework for a privacy legislation that would balance the need for privacy protection, security, sectoral interests, and respond to the domain legislation on the subject. Shri Rahul Matthan of Tri Legal Services prepared an approach paper for the legal framework for a proposed legislation on privacy. The approach paper is now being circulated for seeking opinions of the group of officers and is also being placed on the website of the Department of Personnel and Training for seeking public views on the subject. The Privacy India team at C.I.S responded to the approach paper and has called for the need for a more detailed study of statutory enforcement models and mechanisms in the creation of a privacy legislation. </b>
<h2>1. What is privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>In the approach paper, the definition of privacy is not consistent and the meanings are used interchangably. It is variously referred to as a right and an expectation. Also, we find that no real distinctions are being made between privacy, data protection, and security. As a result, the paper lays out an approach to a data protection legislation masquerading as a privacy legislation. Thus, we find that there is a need to define and make consistent in the document, the language used to define privacy. </p>
<p>b)<span class="Apple-tab-span"> </span>CIS, drawing upon the definition of privacy used in the European Union, understands privacy as the right of an individual to be free from unauthorised intrusion and the ability of that individual to control and disseminate information that identifies or characterizes the individual. We thus believe privacy is operative in these contexts: </p>
<p>1. Physical - physical space, body, home, car, etc. </p>
<p>2. Informational - Digital as well as Non-Digital (Information gathering, storage, retrieval, usage, transfer, disposal, etc). </p>
<p>3. Intellectual - Right to make decisions pertaining to oneself, to enjoy one's perspective and ideas. A violation in any of these contexts should be construed as a breach of privacy.</p>
</div>
<h2>2. Is there a need for privacy protection? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that there is a pressing need for privacy protection in the context of the enhanced technological opportunities that have arisen in the past two decades for the exploitation of personal data. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>As the approach paper rightly concludes, these threats to privacy are magnified by initiatives that interlink databases – such as the UID project. </p>
<p>c)<span class="Apple-tab-span"> </span>However, we believe that privacy is not limited to data protection and would invite the Committee to consider ways in which it may broaden the ambit of its investigation. </p>
</div>
<h2>3. Is there a need for such legislation? </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>We reject the “hybrid” approach being offered here. Previous experiences with Self Regulatory Organisations (SROs) in India (for eg. AMFI, MFIN) leaves us with little cause for optimism that they will be an effective guarantor of as sensitive a right as privacy. Curiously, the approach paper itself does not mention this “hybrid” aspect anywhere else in the document. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We endorse the attempt to arrive through statute, at a minimal, though robust, horizontal guarantee of privacy that operates across sectors. Just as the parameters of the right to life and liberty are broad guidelines on one hand but have specific and intentional meanings, so should the right to privacy. </p>
</div>
</div>
<h2>4. Legislative Competence: </h2>
<p>We agree.</p>
</div>
<h2>5. Is there a constitutional right to privacy? </h2>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that the Supreme Court has derived a constitutional right to privacy from Article 21 of the Constitution. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>However, the approach paper is factual incorrect in its assertion that “all available cases have been decided in the context of government action”. There is by now a sizeable amount of consumer case law which deals with the issue of privacy between private individuals/entities. </p>
<p>c)<span class="Apple-tab-span"> </span>Most frequently, this issue has arisen the context of hospital/patient relationships and the courts have held the right to privacy as one that is not unqualified. </p>
<p>d)<span class="Apple-tab-span"> </span>Other common “non-government” arenas where courts have elaborated on the right to privacy include banking and telephony services. </p>
<p>e)<span class="Apple-tab-span"> </span>We feel that the Committee ought to inform itself more thoroughly about the developing jurisprudence on the right to privacy in India – both in the context of government and non-government actions.</p>
</div>
</div>
</div>
<h2>6. Existing legislation: </h2>
<div>
<p>a)<span class="Apple-tab-span"> </span>In addition to the IT Act, there are several statutes and subordinate legislation which safeguard an individual’s privacy in specified sectors such as banking, insurance, telephony etc. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>By neglecting them wholesale, we feel that the approach paper deprives itself of valuable contextual elaborations of the right to privacy in India. The case for a horizontal right to privacy in India can be derived not merely from the inadequacies of the IT Act, but from the cumulative failings of all these numerous dispersed provisions. </p>
<p>c)<span class="Apple-tab-span"> </span>We agree that ITA does not provide sufficient protection to privacy, and that there is a need for specific legislation that addresses all aspects of privacy, but we would go much further than the current proposal. </p>
<p>d)<span class="Apple-tab-span"> </span>We suggest that in addition to the requirements listed for data security, a full-fledged privacy legislation needs to include specific regulations on: gathering, retention, access, transfer, security, data quality, and individuals’ consent. </p>
<p>e)<span class="Apple-tab-span"> </span>Furthermore, the data protection component of the privacy legislation needs to include redress for breaches of data, and the individual must be informed when a data breach takes place and given access to sufficient information to identify who breached the privacy and how – as well as information about what data were compromised and ways to limit or undo the improper disclosure.. </p>
<p>f)<span class="Apple-tab-span"> </span>Generally speaking, a privacy regime should work towards: 1. Increasing the protection of tangible and intangible possessions as well as personal data; 2. Increasing knowledge of privacy and empowering people to make informed choices; 3. Making organizations more accountable for protecting privacy; 4. Compelling (through audits, sanctions, etc) organisations to improve security standards; 5. Increasing individuals’ confidence in privacy laws and the organisations protecting privacy. </p>
</div>
<h2>7. Potential Conflicts between Data Protection Legislation and other Laws: </h2>
<div>
<p> We find that it would be useful if the laws that conflict with the data protection legislation are referenced in each section.</p>
</div>
<h3> 7.1 Data Protection and the Right to Information</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>The argument that a privacy legislation would conflict with the RTI is somewhat overstated. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Where the government has collected data from individual citizens, that information needs to be exempt from RTI disclosure unless an overriding public interest is demonstrated – which is the current position under the RTI Act. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe, on the other hand, that public officials ought to be subject to scrutiny by virtue of the public office they hold and that they should be subject to transparency about certain aspects of their life which would not be applicable to the common man. Information about tax filings, credit history, and financial records can help root out corruption, for example. </p>
<p>d)<span class="Apple-tab-span"> </span>The kinds of personal data that are broadcast in the transparency bulletins should be limited with specifics shared if need be on a case by case basis. </p>
<p>e)<span class="Apple-tab-span"> </span>As the approach paper itself mentions, the RTI Act is extremely sensitive to the issue of privacy and privacy is one of the most frequent grounds of refusal of data by public bodies. </p>
<p>f)<span class="Apple-tab-span"> </span>Rulings by various information appellate bodies under the RTI Act have done an admirable job of balancing issues of privacy against the public interest and the proposed privacy legislation ought not to disturb this careful balance. </p>
<p>g)<span class="Apple-tab-span"> </span>We recommend that the proposed privacy legislation contain a non-obstante clause that subordinates it to the provisions of the RTI Act. </p>
</div>
</div>
<h3>7.2 Data Protection and Credit Verification</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the statement but believe the privacy issues that would come up are not limited to just credit verification. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>All aspects of data collection and handling for the financial sector should be looked into and statutes developed to deal with the sensitive nature of the data. </p>
<p>c)<span class="Apple-tab-span"> </span>This may include limitations on marketing efforts and disclosure to third-parties. </p>
</div>
<h3>7.3 Data Protection and Private Investigative Agencies</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the private investigators should undergo licensure, and that the PI agencies should be regulated so that any kind of surveillance must comply with privacy protection laws. </p>
<div>
<div>
<p>b)<span class="Apple-tab-span"> </span>Judicial oversight should be required in order to take certain kinds of action (access to records, surveillance, monitoring, etc) by these agencies. </p>
</div>
<h3>7.4 Data Protection and National Security</h3>
</div>
<p>a)<span class="Apple-tab-span"> </span>We understand the conflict between the need for a government to ensure the security of its population with the need to protect privacy. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We find the most effective resolution is for judicial oversight for some activities (monitoring, surveillance, access to personal records by law enforcement, etc) to be required. </p>
</div>
</div>
<h3>7.5 Data Protection vs. Transparency in Government</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that this section engages very sloppily with the issue of transparency/corruption in India. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>It completely ignores the history of the various struggles for transparency in government fought across India, that were aimed precisely at prodding the government out of its secretive shell. </p>
<p>c)<span class="Apple-tab-span"> </span>In doing so the approach paper risks retarding, at one stroke, all the advances made by these several movements over the past fifty years. </p>
<p>d)<span class="Apple-tab-span"> </span>The publication of lists of recipients/beneficiaries of schemes has been one of the most hard won, and potent tools that has been used to mobilize collective action by locals against corrupt officials. </p>
<p>e)<span class="Apple-tab-span"> </span>We empathise with the approach paper’s aspiration that the government “rethink its approach to transparency”, but are skeptical that a new privacy law would, of all things, prompt such a transformative rethinking. We advise caution and certainly greater sensitivity in handling this issue. </p>
</div>
<h3>8.0 Privacy legislation in other countries:</h3>
<p>a)<span class="Apple-tab-span"> </span>We agree with the recommendations, but would include notification of breach: how, when, what and who. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the auditing of companies is an important security and transparency mechanism that needs to be included, along with the ability to sanction offenders and methods of redressal for aggrieved parties. </p>
</div>
</div>
</div>
<h3>9.0 Proposed Framework for Privacy Legislation: </h3>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>Although India lacks a horizontal law of privacy, various sectoral laws currently function to provide a degree of protection. For instance, sectoral regulatory agencies such has TRAI, RBI and SEBI have periodically issued guidelines on privacy which are enforceable through tribunals and ombudsmen under the respective enactments. Professional bodies like the Medical Council and the Bar Council prescribe privacy and confidentiality norms which members of these bodies must adhere to. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In this context, the approach paper’s suggestion of a “framework” followed by sectoral guidelines would appear to be no more than a duplication through statute of the extant state of affairs. </p>
<p>c)<span class="Apple-tab-span"> </span>We would recommend instead, the provision in the act of a robust, general “right to privacy” which would provide a threshold level of protection to the individual. Sectoral guidelines on privacy could then be framed to operate in addition to existing sectoral norms, thereby raising the bar of privacy in that particular sector. </p>
<p>d)<span class="Apple-tab-span"> </span>We also find the framework primarily targeted toward digital data protection alone, and it needs to address all forms of information and include personal and intellectual contexts.</p>
</div>
</div>
<h3>9.1 Applicability</h3>
<div>
<p>We endorse the approach paper’s recommendation that the proposed legislation apply both to private and public entities. However, we feel that this does not exhaust the issue of ‘applicability’. Specifically we invite the Committee’s attention to the following issues:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that the data and the private information that are already in the possession of the government and public/private companies should come under the ambit of the legislation. I.e. it should be applicable to all data collected by any entity, regardless of the fact that such data is otherwise publicly obtainable.</p>
<p>b)<span class="Apple-tab-span"> </span>We invite the Committee’s consideration on whether it would be wise to limit the applicability of the act to regulating the organized, systematic collection of large amounts of personal data by entities, however incorporated. This would, as the approach paper suggests, exempt from the purview of this Act, private and domestic collection of information. In addition it would exempt marginal collectors such as hobbyist website designers, academic researchers etc from the scope of this act. Remedies against these users would still remain, as they have thus far in Tort law. </p>
</div>
<h3>9.2 Data</h3>
<div>
<p>While we acknowledge that certain kinds of information may be more sensitive than others, we feel that the approach paper has not adequately made use of this distinction in its later segments. Specifically we believe:</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>The distinction is useful to prescribe enahanced security precautions during the stage of data collection. For example, the collection of genetic data or HIV status of a person can be made subject to very stringent conditions compared to say, the collection of more mundane details like name, age. </p>
<p>b)<span class="Apple-tab-span"> </span>However, we believe the distinction is not useful if is used, say, to provide differentiated access/data security standards for the two types of information. Eg. If the law stipulated a lesser penalty for the exposure of personal data as opposed to sensitive data. Or if the law prescribed a lesser security standard for personal data compared to personal sensitive data. The threat posed by information depends heavily on the context in which it is used, and in the tragic aftermath of Godhra, even a list of names (which the approach paper has not regarded as ‘sensitive’) could be used to lethal purposes.</p>
</div>
</div>
</div>
<h3> 9.3 Personal Data</h3>
<div>
<p>We endorse the need expressed by the approach paper for a multilateral definition of the way in which information may identify a person</p>
</div>
</div>
<h3>9.4 Personal Sensitive Data </h3>
<p> See comments at 9.2 above </p>
<div>
<div><span class="Apple-style-span"></span></div>
</div>
<h3>9.5 Data Collection</h3>
<div>
<div>
<div>
<p>a)<span class="Apple-tab-span"> </span>We feel that while informed consent ought to be mandatory in all situations the mandatory requirement of informed ‘written’ consent could be confined only to collection of sensitive information and any information that is likely to be stored for longer durations than say, a week. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would exempt benign uses such as by academic researchers or hobbyist website designers or photographers who inadvertently collect small quantities of ‘personal data’. </p>
<p>c)<span class="Apple-tab-span"> </span>Simultaneously, more ‘industrial’ collectors of personal information such as telephone and insurance companies would be required to obtained written consent. Note that this would not exempt them from the requirement of observing standards of data security, but only free them of the obligation of having obtained written consent. </p>
<p>d)<span class="Apple-tab-span"> </span>It is important that this requirement would be in addition to but not diminish consent requirements under existing law. For instance, various judicial decisions and the NHRC have stipulated guidelines governing the administration of the polygraph test to an accused. These include the provision of legal assistance and the requirement that consent be recorded before a judge. The simple requirement of “Informed written consent” under the privacy act should not override more other rigorous judicial guidelines. </p>
<p>e)<span class="Apple-tab-span"> </span>As a overriding safeguard, we think that where “balancing interests” come into play, such interest must first seek and obtain judicial approbation.</p>
</div>
</div>
<h3> 9.6 Data Processing</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree with the need to fix primary responsibility for data security on the data controller, however, </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>it may be in the interest of the citizen/victim to stipulate that in the event of a breach by the data processor, she may prefer her remedy against either the data processor or the data controller. </p>
<p>c)<span class="Apple-tab-span"> </span>We reject the approach paper’s view that concessions need to be made “considering the population of India”. After all, considering this population, the very necessity of a privacy legislation itself may also have to “be considered”. </p>
</div>
</div>
</div>
<h3>9.7 Data Storage</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We concur that data should be stored only until the time the purpose for which it was collected is achieved. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Further, the Committee could consider introducing a presumption that in all cases, unless demonstrated otherwise, the purpose of data collection would be deemed to have been served within, say, 6 months from the date of collection. </p>
<p>c)<span class="Apple-tab-span"> </span>We believe that this could be strengthened by placing the onus on the data controller, in the event of any dispute, to prove that the stated purpose has not yet been achieved. Any data that are required for national security or for archival, etc should come under the scrutiny of the judiciary. </p>
<p>d)<span class="Apple-tab-span"> </span>We endorse the approach paper’s conservative stance on linking of databases. </p>
</div>
</div>
<h3>9.8 Data Security</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We invite the Committee to explore the possibility of gradated data security standards depending on the size of the data collection and the sensitivity of the information held. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>This would ensure that different security standards would apply to, on the one hand, academic researchers and hobbyist website designers who collect marginal data in small ephemeral collections, and on the other hand large insurance companies which maintain large perpetual data warehouses of personal information. </p>
</div>
</div>
<h3>9.9 Data Access</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree that data subjects ought to have a ‘moral right’ that guarantees the integrity of data collected and maintained about them. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>We believe that the proposed legislation should provide a clear and speedy mechanism to activate this right. </p>
</div>
</div>
<h3>9.10 Cross Border Applicability and Transfer</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We would argue that India does need comprehensive legislation and strong enforcement. Population size is not a reason for loose legislation. To the contrary, it buttresses the argument for urgent action to be taken, since the stakes are exponentially greater in a country where a billion people stand to lose their privacy compared to countries with populations numbering in the trifling millions. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Furthermore, the benefits to international trade should be taken into consideration when determining the stringency of a data protection regime, and this should inform the terms of the statutes that are enacted. </p>
</div>
</div>
<h3>9.11 Exemptions</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We believe that exemptions to the legislation should be carefully worded and where possible, permitted only through judicial oversight. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>Care must be taken to see that exemptions under the proposed legislation do not end up widening the scope of intrusion than allowable under existent law. eg. An exemption in the Privacy act on grounds of ‘national security’ should not permit wiretapping agencies to circumvent the due procedure requirements under the Telegraph Act or to violate principles of natural justice.</p>
</div>
</div>
<h3>9.12 Automated Decision Making</h3>
<div>
<p>a)<span class="Apple-tab-span"> </span>We agree but we think that there is a present need for automated decision related laws since the technology is already in use in India and other countries. </p>
<div>
<p>b)<span class="Apple-tab-span"> </span>In particular, we would endorse the incorporation of provisions which would compel disclosure of the fact that automated decision making algorithms are being employed along with a synopsis of the logic of such algorithms. </p>
</div>
</div>
<h3>9.13 Regulatory Set Up</h3>
<div>
<p>We believe that effective regulation and inexpensive, speedy redress are critical for the success of the proposed right to privacy legislation. We believe the approach paper, while admirable in the scope of the subject it covers, deals with this issue rather inadequately under the overbroad heading of “Regulatory Set up” .</p>
<div>
<p>a)<span class="Apple-tab-span"> </span>At the outset we believe that standards-setting functions could be and ought to be separated from adjudicatory functions. This is a model that has proven successful in various other domains in India in the recent past (eg. TRAI/TDSAT and SEBI/SAT. ) and could be usefully imported in the present context </p>
<p>b)<span class="Apple-tab-span"> </span>Secondly, we we believe that the approach paper is not clear enough on whether civil or criminal penalties are intended. We believe that a judicious mix of both would be necessary in order to minimize the risk of individuals being needlessly harassed by enforcement agencies, whilst simultaneously dealing firmly with corporations and other entities whose violations of privacy threaten the greatest harm. We believe that the proposed legislation could be modeled along the lines of the Workmen’s Compensation Act, the Motor Vehicles Act and similar legislations which provide a minimum assured relief immediately upon the establishment of a claim. </p>
<p>c)<span class="Apple-tab-span"> </span>Lastly, we firmly reject the approach paper’s proposal to merge the functions of the data regulator under the Privacy legislation with those of the Information Commissioners under the Right to Information Act. We believe that the Right to Information Act is a landmark legislation which has, in a short while, become a critical tool of empowerment in the hands of the citizens and civil service organizations. One of the most frequently cited reasons by which government departments refuse access to information under the RTI is on grounds of ‘privacy’. In most cases these turn out to be delaying tactics to shield the actions of a few corrupt officials from public scrutiny. The success of the RTI Act hinges on its interpretation and promulgation by officers who believe in the peremptory importance of openness of information in the public interest. The right to privacy demands an opposite orientation and the merging of the two in one officer would lead to an unsatisfactory implementation of both. We believe, as indicated above, that privacy claims that conflict with a citizen’s exercise of her right to information are being resolved satisfactory by the information commissioners under the RTI Act at present and the proposed Privacy legislation should not disturb this. </p>
</div>
</div>
<h2>Conclusion</h2>
<div>
<p>We commend the drafters of the approach paper for their having skillfully woven together the best international practices related to privacy, with an eye to specifics of the Indian situation. However we also feel that the Committee could have been better served by a more detailed study of statutory enforcement models and mechanisms that have succeeded in expanding the reach of remedies to Indians eg. the Consumer Protection Act, Motor Vehicles Act etc.</p>
<div>
<div> </div>
</div>
<div><a href="https://cis-india.org/internet-governance/blog/privacyapproachpaper" class="internal-link" title="Privacy Approach Paper">Approach Paper: 121KB</a></div>
<p> </p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper'>https://cis-india.org/internet-governance/blog/privacy/c.i.s-responds-to-privacy-approach-paper</a>
</p>
No publisherelonnai2012-03-21T10:08:10ZBlog EntryAmerican Bar Association Online Privacy Conference: A Report
https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference
<b>On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take. </b>
<h3>Introduction</h3>
<p>On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:</p>
<ul><li>Lisa Sotto, a private practitioner in the US</li><li>Billy Hawkes, Commissioner of Data Protection, Ireland</li><li>Bojana Bellamy, Director of Data Privacy, London, UK</li><li>Hugh Stevenson, Deputy Director of the Federal Trade Commission, US</li><li> Jennifer Stoddart, Privacy Commissioner, Canada.</li></ul>
<p>The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.</p>
<h3>Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer</h3>
<p>When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.</p>
<h3>Privacy Seals Globally? Privacy Seals in India?</h3>
<p>If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.</p>
<h3>Accountability:</h3>
<p>In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.</p>
<h3>Data Breaches:</h3>
<p>The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:</p>
<p>Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?</p>
<ul><li>How will the balance between over-reporting breaches with under-reporting breaches be maintained?</li><li>Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?</li><li>If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?</li></ul>
<p>These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation. </p>
<h3> E-Privacy Directive Breach Notification:</h3>
<p>Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:</p>
<p>1. The type of information and compromised number of records</p>
<p>2. The circumstances of the loss, release, or corruption</p>
<p>3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed</p>
<p>4. details of how the breach is being investigated,</p>
<p>5. whether any other regulatory bodies have been informed and, if so, their responses</p>
<p>6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment. </p>
<h3>Accountability, breach notification: What material should India think about for a legal privacy structure?</h3>
<p>Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:</p>
<p>· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?</p>
<p>· If India wants a broad privacy framework how will this be set up?</p>
<p>· What will be the tools used for civil education?</p>
<p>· How will enforcement take place ? </p>
<p>· Is self regulated accountability or statuary accountability better?</p>
<p>· Will there be a privacy tribunal?</p>
<p>· How will data be categorized? </p>
<p>· Will breaches be notified?</p>
<p>· Will standardized privacy policies be created?</p>
<p> As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference'>https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:08:36ZBlog EntryPrivacy, Free/Open Source, and the Cloud
https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing
<b>A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture. </b>
<h3>Introduction</h3>
<p>Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.</p>
<p>There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.</p>
<h3>Privacy Concerns:</h3>
<p> Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?</p>
<p>These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.</p>
<h3>How are privacy, free/open source, and the cloud related ?</h3>
<p>Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.</p>
<h3>Is free/open software the solution?</h3>
<p> Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.</p>
<h3>Conclusion</h3>
<p> Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing'>https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing</a>
</p>
No publisherelonnaiOpennessInternet GovernancePrivacy2012-03-22T05:50:10ZBlog EntryPrivacy Concerns in Whole Body Imaging: A Few Questions
https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions
<b>Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.</b>
<p><strong>What is Whole Body Imaging? </strong></p>
<p>Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons. </p>
<h3>How are These Technologies Being Used - Two News Items to Ponder: <br /></h3>
<p><strong>News Item One </strong></p>
<p>In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.</p>
<p>Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.</p>
<p>Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.</p>
<p><strong>News Item Two</strong></p>
<p>In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car. </p>
<h3>Questions at the Heart of the WBI Debate: <br /></h3>
<p>Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?</p>
<p><strong>How Have Other Countries Responded to Whole Body Imaging and How Should India Respond? <br /></strong></p>
<p>Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.</p>
<p>In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.</p>
<p>Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.</p>
<p>The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions'>https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions</a>
</p>
No publisherelonnaiPrivacy2012-03-21T10:09:02ZBlog Entry