The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 5.
MOBILE PHONE PATENTS- PRIOR ART SURVEY
http://editors.cis-india.org/a2k/blogs/mobile-phone-patents-prior-art-survey.xlsx
<b>A study on a portion of the patent landscape around mobile phone patents, commissioned by CIS earlier this year</b>
<p>
For more details visit <a href='http://editors.cis-india.org/a2k/blogs/mobile-phone-patents-prior-art-survey.xlsx'>http://editors.cis-india.org/a2k/blogs/mobile-phone-patents-prior-art-survey.xlsx</a>
</p>
No publisherprachi2013-10-24T10:32:42ZFileTransparency Reports — A Glance on What Google and Facebook Tell about Government Data Requests
http://editors.cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests
<b>Transparency Reports are a step towards greater accountability but how efficacious are they really? </b>
<p style="text-align: justify; ">Prachi Arya examines the transparency reports released by tech giants with a special focus on user data requests made to <a class="external-link" href="https://www.google.co.in/">Google</a> and <a class="external-link" href="https://www.facebook.com/">Facebook</a> by Indian law enforcement agencies. <i></i></p>
<p style="text-align: justify; "><i>The research was conducted as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">According to a recent <a class="external-link" href="http://www.comscore.com/Insights/Press_Releases/2013/8/comScore_Releases_the_2013_India_Digital_Future_in_Focus_Report">comScore Report</a> India has now become the third largest internet user with nearly 74 million citizens on the Internet, falling just behind China and the United States. The report also reveals that Google is the preferred search engine for Indians and Facebook is the most popular social media website followed by <a class="external-link" href="http://www.linkedin.com/">LinkedIn</a> and <a class="external-link" href="https://twitter.com/">Twitter</a>. While users posting their photos on Facebook can limit viewership through privacy settings, there isn’t much they can do against government seeking information on their profiles. All that can be said for sure in the post-Snowden world is that large-scale surveillance is a reality and the government wants it on their citizen’s online existence. In this Orwellian scenario, transparency reports provide a trickle of information on how much our government finds out about us.</p>
<p style="text-align: justify; ">The first transparency report was released by Google three years ago to provide an insight into <a class="external-link" href="http://googleblog.blogspot.in/2013/04/transparency-report-more-government.html">‘the scale and scope of government requests for censorship and data around the globe’</a>. Since then the issuance of such reports is increasingly becoming a standard practice for tech giants. An <a class="external-link" href="https://www.eff.org/who-has-your-back-2013">Electronic Frontier Foundation Report</a> reveals that major companies that have followed Google’s lead include Dropbox, LinkedIn, Microsoft and Twitter<a href="#_ftn3" name="_ftnref3"><span class="MsoFootnoteReference"><span class="MsoFootnoteReference"> </span></span></a> with Facebook and Yahoo! being the latest additions<a href="#_ftn4" name="_ftnref4"><span class="MsoFootnoteReference"><span class="MsoFootnoteReference"> </span></span></a>. Requests to <a class="external-link" href="https://transparency.twitter.com/">Twitter</a> and <a class="external-link" href="https://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft</a> from Indian law enforcement agencies were significantly less than requests to Facebook and Google. Twitter revealed that Indian law enforcement agencies made less than 10 requests, none of which resulted in sharing of user information. Out of the 418 requests made to Microsoft by India (excluding Skype), 88.5 per cent were complied with for non-content user data. The <a class="external-link" href="http://info.yahoo.com/transparency-report/">Yahoo! Transparency Report</a> revealed that 6 countries surpassed India in terms of the number of user data requests. Indian agencies requested user data 1490 times from 2704 accounts for both content and non-content data and over 50 per cent of these requests were complied with.</p>
<p style="text-align: justify; ">The following is a compilation of what the latest transparency reports issued by Facebook and Google.</p>
<h3 class="external-link"><a class="external-link" href="http://www.google.com/transparencyreport/">Google</a></h3>
<blockquote class="quoted" style="text-align: justify; ">"The information we share on the Transparency Report is just a sliver of what happens on the internet"<br /><b>Susan Infantino</b>, <i>Legal Director for Google</i></blockquote>
<p class="MsoListParagraph">Beginning from December 2009, Google has published several biannual transparency reports:</p>
<ul>
<li style="text-align: justify; ">It discloses traffic data of Google services globally and statistics on removal requests received from copyright owners or governments as well as user data requests received from government agencies and courts. It also lays down the legal process required to be followed by government agencies seeking data.</li>
</ul>
<ul>
<li style="text-align: justify; ">There was a 90 per cent increment in the number of <a class="external-link" href="http://www.google.com/transparencyreport/removals/government/">content removal requests</a> received by Google from India. The requests complied with included:
<ul>
<li style="text-align: justify; ">Restricting videos containing clips from the controversial movie “Innocence of Muslims” from view. </li>
<li style="text-align: justify; ">Many YouTube videos and comments as well as some Blogger blog posts being restricted from local view for disrupting public order in relation to instability in North East India.</li>
</ul>
</li>
<li style="text-align: justify; ">For <a class="external-link" href="http://www.google.com/transparencyreport/userdatarequests/IN/">User Data requests</a>, the Google report details the number of user data requests and users/accounts as well as percentage of requests which were partially or completely complied with. In India the user data requests more than doubled from 1,061 in the July-December 2009 period to 2,431 in the July-December 2012 period. The compliance rate decreased from 79 per cent in the July-December 2010 period to 66 per cent in the last report.</li>
<li style="text-align: justify; ">Jurisdictions outside the United States can seek disclosure using Mutual Legal Assistance Treaties or any ‘other diplomatic and cooperative arrangement’. Google also provides information on a voluntary basis if requested following a valid legal process if the requests are in consonance with international norms, U.S. and the requesting countries' laws and Google’s policies.</li>
</ul>
<h3><a class="external-link" href="https://www.facebook.com/about/government_requests">Facebook</a></h3>
<ul>
<blockquote class="quoted" style="text-align: justify; ">"We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations." <br /><b>Colin Stretch</b>, <i> Facebook General Counsel</i></blockquote>
</ul>
<p style="text-align: justify; ">Facebook inaugurated its first ever transparency report last Tuesday with a promise to continue releasing these reports.</p>
<ul>
<li style="text-align: justify; ">The ‘Global Government Requests Report’ provides information on the number of requests received by the social media giant for user/account information by country and the percentage of requests it complied with. It also includes operational guidelines for law enforcement authorities.</li>
</ul>
<ul>
<li style="text-align: justify; ">The report covers the first six months of 2013, specifically till June 30. In this period India made 3,245 requests from 4,144 users/accounts and half of these requests were complied with. </li>
</ul>
<ul>
<li style="text-align: justify; ">Jurisdictions outside the United States can seek disclosure by way of mutual legal assistance treaties requests or letter rogatory. Legal requests can be in the form of search warrants, court orders or subpoena. The requests are usually made in furtherance of criminal investigations but no details about the nature of such investigations are provided.</li>
</ul>
<ul>
<li style="text-align: justify; ">Broad or vague requests are not processed. The requests are expected to include details of the law enforcement authority issuing the request and the identity of the user whose details are sought. </li>
</ul>
<h3>The Indian Regime</h3>
<p style="text-align: justify; ">Section 69 and 69 B of the <a class="external-link" href="http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf">Information Technology (Amended) Act, 2008</a> prescribes the procedure and sets safeguards for the Indian Government to request user data from corporates. According to section 69, authorized officers can issue directions to intercept, monitor or decrypt information for the following reasons:</p>
<ol>
<li>Sovereignty or integrity of India,</li>
<li>Defence of India,</li>
<li>Security of the state,</li>
<li>Friendly relations with foreign states, </li>
<li>Maintenance of public order,</li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above, or</li>
<li>For investigation of any offence.</li>
</ol>
<p style="text-align: justify; ">Section 69 B empowers authorized agencies to monitor and collect information for cyber security purposes, including ‘for identification, analysis and prevention of intrusion and spread of computer contaminants’. Additionally, there are rules under section 69 and 69 B that regulate interception under these provisions.</p>
<p style="text-align: justify; ">Information can also be requested through the Controller of Certifying Authority under section 28 of the IT Act which circumvents the stipulated procedure. If the request is not complied with then the intermediary may be penalized under section 44.</p>
<p style="text-align: justify; ">The Indian Government has been increasingly leaning towards greater control over online communications. In 2011, <a class="external-link" href="http://in.news.yahoo.com/court-stays-rs-11-lakh-fine-imposed-yahoo-163503671.html">Yahoo! was slapped with a penalty of Rs. 11 lakh</a> for not complying with a section 28 request, which called for email information of a person on the grounds of national security although the court subsequently stayed the Controller of Certifying Authorities' order.<a href="#_ftn7"> </a> In the same year the government called for <a href="http://editors.cis-india.org/internet-governance/unkindest-cut-mr-sibal" class="external-link">pre-screening user content</a> by internet companies and social media sites to ensure deletion of ‘objectionable content’ before it was published.<a href="#_ftn8"> </a> Similarly, the government has increasingly sought <a class="external-link" href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">greater online censorship</a>, using the Information Technology Act to arrest citizens for social media posts and comments and even emails criticizing the government.<a href="#_ftn9"> </a></p>
<h3 style="text-align: justify; ">What does this mean for Privacy?</h3>
<p style="text-align: justify; ">The Google Transparency Report has thrown light on an increasing trend of governmental data requests on a yearly basis. The reports published by Google and Facebook reveal that the number of government requests from India is second only to the United States. Further, more than 50 per cent of the requests from India have led to disclosure by nearly all the companies surveyed in this post, with Twitter being the single exception.</p>
<p style="text-align: justify; ">Undeniably, transparency reports are important accountability mechanisms which reaffirm the company’s dedication towards protecting its user’s privacy. However, basic statistics and vague information cannot lift the veil on the full scope of surveillance. Even though Google’s report has steadily moved towards a more nuanced disclosure, it would only be meaningful if, <i>inter alia</i>, it included a break-up of the purpose behind the requests. Similarly, although Google has also included a general understanding of the legal process, more specifics need to be disclosed. For example, the report could provide statistics for notifications to indicate how often user’s under scrutiny are not notified. Such disclosures are important to enhance user understanding of when their data may be accessed and for what purposes, particularly without prior or retrospective intimation of the same. Till such time the report can provide comprehensive details about the kind of surveillance websites and internet services are subjected to, it will be of very limited use. Its greatest limitation, however, may lie beyond its scope.</p>
<p style="text-align: justify; ">The monitoring regime envisioned under the Information Technology Act effectively lays down an overly broad system which may easily lead to abuse of power. Further, the Indian Government has become infamous for their need to control websites and social media sites. Now, with the Indian Government’s plan for establishing the Central Monitoring System the need for intermediaries to conduct the interception may be done away with, giving the government unfettered access to user data, potentially rendering corporate transparency of data requests obsolete.</p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests'>http://editors.cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests</a>
</p>
No publisherprachiInternet GovernancePrivacy2013-09-13T09:44:53ZBlog Entry6th Privacy Roundtable
http://editors.cis-india.org/internet-governance/blog/14x6a.jpg
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/14x6a.jpg'>http://editors.cis-india.org/internet-governance/blog/14x6a.jpg</a>
</p>
No publisherprachi2013-08-30T08:15:37ZImageReport on the Sixth Privacy Roundtable Meeting, New Delhi
http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi
<b>In 2013 the Centre for Internet and Society (CIS) drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with Federation of Indian Chambers of Commerce and Industry (FICCI) and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India. The following is a report on the Sixth Privacy Roundtable held in New Delhi on August 24, 2013.
</b>
<hr />
<p style="text-align: justify; "><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.</i></p>
<hr />
<p></p>
<p> </p>
<h2>Introduction<b> </b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">A series of seven multi-stakeholder roundtable meetings on "privacy" were conducted by CIS in collaboration with FICCI from April 2013 to August 2013 under the Internet Governance initiative. DSCI joined CIS and FICCI as a co-organizer on April 20, 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">CIS was a member of the Justice A.P. Shah Committee which drafted the "<a class="external-link" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report of Groups of Experts on Privacy</a>". CIS also drafted a <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft" class="external-link">Privacy (Protection) Bill 2013</a> (hereinafter referred to as ‘the Bill’), with the objective of establishing a well protected privacy regime in India. CIS has also volunteered to champion the session/workshops on "privacy" in the final meeting on Internet Governance proposed for October 2013.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">At the roundtables the Report of the Group of Experts on Privacy and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The dates of the six Privacy Round Table meetings are enlisted below:</p>
<ol>
<li>New Delhi Roundtable: April 13, 2013</li>
<li>Bangalore Roundtable: April 20, 2013</li>
<li>Chennai Roundtable: May 18, 2013</li>
<li>Mumbai Roundtable: June 15, 2013</li>
<li>Kolkata Roundtable: July 13, 2013</li>
<li>New Delhi Roundtable: August 24, 2013</li>
<li>New Delhi Final Roundtable and National Meeting: October 19, 2013</li>
</ol>
<p style="text-align: justify; ">This Report provides an overview of the proceedings of the Sixth Privacy Roundtable (hereinafter referred to as 'the Roundtable'), conducted at FICCI, Federation House in Delhi on August 24, 2013. <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="internal-link" title="The Personal Data (Protection) Bill, 2013">The Personal Data (Protection) Bill, 2013 </a>was discussed at the Roundtable.</p>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The Sixth Privacy Roundtable began with reflections on the evolution of the Bill. In its penultimate form, the Bill stands substantially changed as compared to its previous versions. For the purpose of this Roundtable, which entailed participation largely from industry organizations and other entities who handle personal data, only the personal data regime was discussed. This debate was distinguished from the general and specific discussion relating to privacy, surveillance and interception of communications as it was felt that greater expertise was required to deal adequately with such a vast and nuanced area. After further discussion with security experts, the provisions on surveillance and privacy of communications will be reincorporated resulting in omnibus privacy legislation. To reflect this alteration in the ambit of the Bill in its current form, its title was changed to <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill</a> from the more expansive – Privacy (Protection) Bill.</p>
<h2>Chapter I – Preliminary</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 2 of the first chapter enumerates various definitions including ‘personal data’, which is defined as any data that can lead to identification and ‘sensitive personal data’; a subset of personal data defined by way of a list. The main contentions arose in relation to the latter definition.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Religion and Caste</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">A significant modification is found in the definition of ‘sensitive personal data’, which has expanded to include two new categories, namely, (i) ethnicity, religion, race or caste, and (ii) financial and credit information. Although discussed previously, these two categories have hitherto been left out of the purview of the definition as they are fraught with issues of practicality. In the specific example of caste, the government has historically indulged in large-scale data collection for the purpose of census, for example as conducted by the Ministry of Rural Development and the Ministry of Social Justice and Empowerment, Government of India. Further, in the Indian scenario, various statutory benefits accrue from caste identities under the aegis of affirmative action policies. Hence, categorizing it as sensitive personal data may not be considered desirable. The problem is further exacerbated with respect to religion as even a person’s name can be an indicator. In light of this, some issues under consideration were –</p>
<ul>
<li>Whether religion and caste should be categorized as sensitive personal data or personal data?</li>
<li>Whether it is impracticable to include it in either category?</li>
<li>If included as sensitive personal data, how should it be implemented?</li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">The majority seemed to lean towards including it under the category of sensitive personal data rather than personal data. It was argued that the categorization of some personal data as sensitive was done on the basis of higher potential for profiling or discrimination. In the same vein, caste and religious identities were sensitive information, requiring greater protection as provided under section 16 of the Bill. Regarding the difficulties posed by revealing names, it was proposed that since it was not an indicator by default, this consideration could not be used as a rationale to eliminate religion from the definition. Instead, it was suggested that programmes sensitizing the populous to the implications of names as indicators of religion/caste should be encouraged. With regard to the issue of census, where caste information is collected, it was opined that the same could be done in an anonymously as well. The maintenance of public databases including such information by various public bodies was considered problematic for privacy as they are often easily accessible and hence have a high potential for abuse. Overall, the conclusion was that the potential for abuse of such data could be better curtailed if greater privacy requirements were mandated for both private and public organizations. The collection of this kind of data should be done on a necessity basis and kept anonymous wherever possible. However, it was acknowledged that there were greater impracticalities associated with treating religion and caste as sensitive personal data. Further, the use and disclosure of indicative names was considered to be a matter of choice. Often caste information was revealed for affirmative action schemes, for example, rank lists for admissions or appointments. In such cases, it was considered to be counter-productive to discourage the beneficiary from revealing such information. Consequently, it was suggested that they could be regulated differently and qualified wherever required. The floor was then thrown open for discussing the other categories included under the definition of ‘sensitive personal data’.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Political Affiliation<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another contentious issue discussed at the Roundtable was the categorization of ‘political affiliation’ as ‘sensitive personal data’. A participant questioned the validity of including it in the definition, arguing that it is not an issue in India. Further, it was argued that one’s political affiliation was also subject to change and hence did not mandate higher protection as provided for sensitive personal data. Instead, if included at all, it should be categorized as ‘personal data’. This was countered by other participants who argued that revealing such information should be a matter of choice and if this choice is not protected adequately, it may lead to persecution. In light of this, changing one’s political affiliation particularly required greater protection as it may leave one more vulnerable. Everyone was in agreement that the aggregation of this class of data, particularly when conducted by public and private organizations, was highly problematic, as evidenced by its historic use for targeting dissident groups. Further, it was accepted unanimously that this protection should not extend to public figures as citizens had a right to know their political affiliation. However, although there was consensus on voting being treated as sensitive personal data, the same could not be reached for extending this protection to political affiliation.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conviction Data<b> <br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The roundtable also elicited a debate on conviction data being enumerated as sensitive personal data. The contention stemmed from the usefulness of maintaining this information as a matter of public record. Inter alia, the judicial practice of considering conviction history for repeat offenders, the need to consider this data before issuing passport and the possibility of establishing a sex offenders registry in India were cited as examples for the same.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Financial and Credit Information<b><br /></b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">From the outset, the inclusion of Financial and Credit information as sensitive personal data was considered problematic as it would clash directly with existing legislations. Specifically, the Reserve Bank of India mandates on all issues revolving around this class of data. However, it was considered expedient to categorize it in this manner due to grave mismanagement associated with it, despite existing protections. In this regard, the handling of Credit Information was raised as an issue. Even though it is regulated under the Credit Information Companies (Regulation) Act, 2005, its implementation was found to be wanting by some participants. In this context, the harm sought to be prevented by its inclusion in the Bill was unregulated sharing of credit-worthiness data with foreign banks and organs of the state. Informed consent was offered as the primary qualifier. However, some participants proposed that extending a strong regime of protection to such information would not be economically viable for financial institutions. Thus, it was suggested that this category should be categorized as personal data with the aim of regulating unauthorized disclosures.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The debate on the definition of sensitive personal data concluded with the following suggestions and remarks:</p>
<ul>
<li style="text-align: justify; ">The categories included under sensitive personal data should be subject to contextual provisions instead of blanket protection.</li>
<li style="text-align: justify; ">Sensitive personal data mandates greater protection with regard to storage and disclosure than personal data.</li>
<li style="text-align: justify; ">While obtaining prior consent is important for both kinds of data, obtaining informed consent is paramount for sensitive personal data.</li>
<li style="text-align: justify; ">Both classes of data can be collected for legitimate purposes and in compliance with the protection provided by law. </li>
</ul>
<h2>Chapter II – Regulation of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter of the Bill establishes a negative statement of a positive right under Section 3 along with exemptions under Section 4, as opposed to the previous version of the Bill, discussed at the fifth Privacy Roundtable, which established a positive right. Thus, in its current form, the Bill provides a stronger regime for the regulation of personal data. The single exemption provided under this part is for personal or domestic use.</p>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The main issues under consideration with regard to this part were –</p>
<ul>
<li>The scope of the protection provided</li>
<li>Whether the exemptions should be expanded or diminished. </li>
</ul>
<p class="MsoNormalCxSpFirst" style="text-align: justify; ">A participant raised a doubt regarding the subject of the right. In response, it was clarified that the Bill was subject to existing Constitutional provisions and relevant case law. According to the apex court, in <i>Kharak Singh v. The State of U.P.</i> (1964), the Right to Privacy arose from the Right to Life and Personal Liberty as enshrined under Article 21 of the Constitution of India. Since the Article 21 right is applicable to all persons, the Right to Privacy has to be interpreted in conjunction. Consequently, the Right to Privacy will apply to both citizens and non-citizens in India. It would also extend to information of foreigners stored by any entity registered in India and any other entity having an Indian legal personality irrespective of whether they are registered in India or not.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The next issue that arose at the Roundtable stemmed from the exemption provided under Section 4 of the Bill. A participant opined that excluding domestic use of such data was unadvisable as often such data was used maliciously during domestic rows such as divorce. With regard to the how ‘personal and domestic use’ was to be defined it was proposed that the same had to cater existing cultural norms. In India, this entailed that existing community laws had to be followed which does not recognize nuclear families as a legal entity. It was also acknowledged that Joint Hindu Families had to be dealt with specially and their connection with large businesses in India would have to be carefully considered.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another question regarding exemptions brought up at the Roundtable was whether they should be broadened to include the information of public servants and the handling of all information by intelligence agencies. Similarly, some participants proposed that exemptions or exceptions should be provided for journalists, private figures involved in cases of corruption, politicians, private detective agencies etc. It was also proposed that public disclosure of information should be handled differently than information handled in the course of business.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Conclusion</h3>
<p class="MsoNormalCxSpLast" style="text-align: justify; ">The overall conclusion of the discussion on this Chapter was –</p>
<ul>
<li>All exemptions and exceptions included in this Chapter should be narrowly tailored and specifically defined.</li>
<li>Blanket exemptions should be avoided. The specificities can be left to the Judiciary to adjudicate on as and when contentions arise. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Chapter III – Protection of Personal Data</h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">This chapter seeks to regulate the collection, storage, processing, transfer, security and disclosure of personal data.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Personal Data</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Sections 5, 6 and 7 of the Bill regulate the collection of personal data. While section 5 establishes a broad bar for the collection of personal data, Section 6 and 7 provide for deviations from the same, for collecting data with and without prior informed consent respectively.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data with Prior Informed Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 6 establishes the obligation to obtain prior informed consent, sets out the regime for the same and by way of 2 provisos allows for withdrawal of consent which may result in denial of certain services.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The main issues discerned from this provision involved (i) notice for obtaining consent, (ii) mediated data collection, and (iv) destruction of data.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Regarding notice, some participants observed that although it was a good practice it was not always feasible. A participant raised the issue of the frequency of obtaining consent. It was observed that services that allowed its users to stay logged in and the storage of cookies etc. were considered benefits which would be disrupted if consent had to be obtained at every stage or each time the service was used. To solve this problem, it was unanimously accepted that consent only had to be obtained once for the entirety of the service offered except when the contract or terms and conditions were altered by the service provider. It was also decided that the entity directly conducting the collection of data was obligated to obtain consent, even if the same was conducted on behalf of a 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Mediated date collection proved to be a highly contentious issue at the Roundtable. The issue was determining the scope and extent of liability in cases where a mediating party collects data for a data controller for another subject who may or may not be a user. In this regard, two scenarios were discussed – (i) uploading pictures of a 3<sup>rd</sup> party by a data subject on social media sites like Facebook and (ii) using mobile phone applications to send emails, which involves, inter alia, the sender, the phone manufacturer and the receiver. The ancillary issues recognized by participants in this regard were – (i) how would data acquired in this manner be treated if it could lead to the identification of the 3<sup>rd</sup> party?, and (ii) whether destruction of user data due to withdrawal of consent amount to destruction of general data, i.e. of the 3<sup>rd</sup> party. The consensus was that there was no clarity on how such forms of data collection could be regulated, even though it seemed expedient to do so. The government’s inability to find a suitable solution was also brought to the table. In this regard it was suggested by some participants that the Principle of Collection Limitation, as defined in the A.P. Shah Committee Report, would provide a basic protection. Further the extent to which this would be exempted for being personal use was suggested as a threshold. A participant observed that it would be technically unfeasible for the service provider to regulate such collection, even if it involved illicit data such as pornographic or indecent photographs. Further, it was opined that such an oversight by the service provider could be undesirable since it would result in the violation of the user’s privacy. Thus, any proposal for regulation had to balance the data subject’s rights with that of the 3<sup>rd</sup> party. In light of this, it was suggested that the mediating party should be made responsible for obtaining consent from the 3<sup>rd</sup> party.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Another aspect of this provision which garnered much debate was the proviso mandating destruction of data in case of withdrawal of consent. A participant stated the need for including broad exceptions as it may not always be desirable. Regarding the definition of ‘destroy’, as provided for under Section 2, it was observed that it mandated the erasure/deletion of the data in its entirety. Instead, it was suggested, that the same could be achieved by merely anonymising the information.</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Collection of Data without Consent</h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 7 of the Bill outlines four scenarios which entail collection of personal data without prior consent, which are reproduced below -</p>
<p style="text-align: justify; "><i>“(a) necessary for the provision of an emergency medical service to the data subject;<br /></i><i>(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;<br />(c) necessary to prevent a reasonable threat to national security, defence or public order; or<br />(d) necessary to prevent, investigate or prosecute a cognisable offence”</i></p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Most participants at the Roundtable found that the list was too large in scope. The unqualified inclusion of prevention in that last two sub clauses was found to be particularly problematic. It was suggested that Section 7 (c) was entirely redundant as its provisions could be read into Section 7 (d). Furthermore, the inclusion of ‘national security’ as a basis for collecting information without consent was rejected almost unanimously. It was suggested that if it was to be included then a qualification was desirable, allowing collection of information only when authorized by law. Some participants extended this line of reasoning to Section 7 (c) as state agencies were already authorized to collect information in this manner. It was opined that including it under the Bill would reassert their right to do so in broader terms. For similar reasons, Section 7 (b) was found objectionable as well. It was further suggested that if sub clauses (b), (c) and (d) remained in the Bill, it should be subject to existing protections, for example those established by seminal cases such as <i>Maneka Gandhi v. Union of India</i> (1978) and<i> PUCL v. Union of India</i> (1997).</p>
<h3 class="MsoNormalCxSpMiddle" style="text-align: justify; ">Storage and Processing of Personal Data<b> </b></h3>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 8 of the Bill lays down a principle mandating the destruction of the information collected, following the cessation of the necessity or purpose for storage and provides exceptions to the same. It sets down a regime of informed consent, purpose specific storage and data anonymization.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The first amendment suggested for this provision was regarding the requirement of deleting the stored information ‘forthwith’. It was proposed by a participant that deleting personal data instantaneously had practical constraints and a reasonability criteria should be added. It was also noticed that in the current form of the Bill, the exception of historical, archival and research purposes had been replaced by the more general phrase ‘for an Act of Parliament’. The previous definition was altered as the terms being used were hard to define. In response, a participant suggested a broader phrase which would include any legal requirement. Another participant argued that a broader phrase would need to me more specifically defined to avoid dilution.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 9 of the Bill sets out two limitations for processing data in terms of (i) the kind of personal data being processed and (ii) the purpose for the same. The third sub clause enumerates exceptions to the abovementioned principles in language similar to that found in Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">With regard to the purpose limitation clause it was suggested by many participants that the same should be broadened to include multiple purposes as purpose swapping is widespread in existing practice and would be unfeasible and undesirable to curtail. Sub clause 3 of this Section was critiqued for the same reasons as Section 7.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">Section 10 restricts cross-border transfer of data. It was clarified that different departments of the same company or the same holding company would be treated as different entities for the purpose of identifying the data processor. However, a concern was raised regarding the possibility of increased bureaucratic hurdles on global transfer of data in case this section is read too strictly. At the same time, to provide adequate protection of the data subject’s rights certain restrictions on the data controller and location of transfer.</p>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The regime for disclosure of personal data without prior consent is provided for by Section 14. The provision did not specify the rank of the police officer in charge of passing orders for such disclosure. It was observed that a suitable rank had to be identified to ensure adequate protection. Further, it was suggested that the provision be broadened to include other competent agencies as well. This could be included by way of a schedule or subsequent notifications.</p>
<h3 class="MsoNormalCxSpLast" style="text-align: justify; ">Conclusion</h3>
<ul>
<li>Mediated collection of data should be qualified on the basis of purpose and intent of collection.</li>
<li>The issue of cost to company (C2C) was not given adequate consideration in the Bill.</li>
<li>The need to lay down Procedures at all stages of handling personal data.</li>
<li>Special exemptions need to be provided for journalistic sources. </li>
</ul>
<h2 class="MsoNormalCxSpFirst" style="text-align: justify; ">Meeting Conclusion<b><br /></b></h2>
<p class="MsoNormalCxSpMiddle" style="text-align: justify; ">The Sixth Privacy Roundtable was the second to last of the stakeholder consultations conducted for the Citizens’ <a href="http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013" class="external-link">Personal Data (Protection) Bill, 2013</a>. Various changes made to the Bill from its last form were scrutinized closely and suitable suggestions were provided. Further changes were recommended for various aspects of it, including definitions, qualifications and procedures, liability and the chapter on offences and penalties. The Bill will be amended to reflect multi-stakeholder suggestions and cater to various interests.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi'>http://editors.cis-india.org/internet-governance/blog/report-on-the-sixth-privacy-roundtable-meeting-new-delhi</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T15:04:51ZBlog EntryThe Personal Data (Protection) Bill, 2013
http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013
<b>Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013.
Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.
</b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013'>http://editors.cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013</a>
</p>
No publisherprachiSAFEGUARDSInternet GovernancePrivacy2013-08-30T14:53:11ZFile