The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 41 to 52.
Comments on the RBI's Consultation Paper on Peer to Peer Lending
http://editors.cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending
<b>The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.</b>
<p> </p>
<h2>1. Preliminary</h2>
<p><strong>1.1.</strong> This submission presents comments and recommendations by the Centre for Internet and Society (<strong>“CIS”</strong>) on the Consultation Paper on Peer to Peer Lending (<strong>“the consultation paper”</strong>) by the Reserve Bank of India (<strong>“RBI”</strong>) <strong>[1]</strong>.</p>
<h2>2. The Centre for Internet and Society</h2>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS <strong>[2]</strong>, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.</p>
<p><strong>2.2.</strong> This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.</p>
<h2>3. Response</h2>
<h3>3.1. Whether there is a felt need for regulating peer to peer lending platforms?</h3>
<p><strong>3.1.1.</strong> Peer to peer (<strong>“P2P”</strong>) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.</p>
<p><strong>3.1.2.</strong> The Section 45I.(f)(iii) of the RBI Act, 1935 <strong>[3]</strong>, provides RBI the authority to classify any financial institution as a non-banking financial company (<strong>“NBFC”</strong>) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” <strong>[4]</strong> appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” <strong>[5]</strong>. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.</p>
<p><strong>3.1.3.</strong> The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.</p>
<p><strong>3.1.4.</strong> Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores <strong>[6]</strong>, and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores <strong>[7]</strong>, we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.</p>
<p><strong>3.1.5.</strong> Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.</p>
<h3>3.2. Is the assessment of P2P lending and risks associated with it adequate?</h3>
<p><strong>3.2.1.</strong> CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.</p>
<ol type="A"><li><strong>Insufficient information about the conditions of lending, leading to defrauding of the borrower:</strong> The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs <strong>[8]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender:</strong> If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs <strong>[9]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector:</strong> Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 <strong>[10]</strong>, which extensively addresses concerns related to this type of risks.<br /><br /></li>
<li><strong>P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control:</strong> It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.</li></ol>
<h3>3.3. Are there any other risks which ought to be addressed?</h3>
<p><strong>3.3.1.</strong> CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 <strong>[11]</strong>. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.</p>
<p><strong>3.3.2.</strong> CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a <em>service provider lock-in</em>, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.</p>
<h3>3.4. Is the proposed approach to regulating these platforms adequate?</h3>
<p><strong>3.4.1.</strong> CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.</p>
<p><strong>3.4.2.</strong> CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance <strong>[12]</strong>, etc.</p>
<p><strong>3.4.3.</strong> Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.</p>
<h3>3.5. Any other relevant issues pertaining to P2P lending</h3>
<p>Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:</p>
<ol><li><strong>Transactional system pertaining to P2P lending:</strong>
<ol type="a">
<li>What are the requirements and prerequisites for mandating the collection of user identity?</li>
<li>Establishing a maximum sum that can be transferred per transaction.</li></ol>
</li>
<li><strong>Company activities:</strong>
<ol type="a"><li>Fees that can be charged by platforms.</li>
<li>How data security can be best addressed.</li>
<li>How the financial transactions are brokered.</li>
<li>Modes of redressal.</li>
<li>Restitution to users if something goes amiss in the transaction.</li>
<li>Insurance that the company has to buy or capital on hand to support.</li></ol>
</li></ol>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164">https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=3164</a>.</p>
<p><strong>[2]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[3]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf">https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.pdf</a>.</p>
<p><strong>[4]</strong> See Section 45I.(c) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[5]</strong> See Section 45I.(c)(v) of RBI Act, 1923, last amended on January 07, 2013.</p>
<p><strong>[6]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf">https://rbidocs.rbi.org.in/rdocs/content/pdfs/PNNBFC200315.pdf</a>.</p>
<p><strong>[7]</strong> See: <a href="http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms">http://economictimes.indiatimes.com/small-biz/startups/faircent-com-raises-pre-series-a-funding-of-250k/articleshow/47630279.cms</a>.</p>
<p><strong>[8]</strong> See: <a href="https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866">https://rbi.org.in/scripts/NotificationUser.aspx?Id=7866</a>.</p>
<p><strong>[9]</strong> See: <a href="https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168">https://rbi.org.in/scripts/BS_ViewMasCirculardetails.aspx?id=8168</a>.</p>
<p><strong>[10]</strong> See: <a href="http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx">http://www.incometaxindia.gov.in/Pages/acts/credit-information-companies-act.aspx</a>.</p>
<p><strong>[11]</strong> See: <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf</a>.</p>
<p><strong>[12]</strong> See: <a href="https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706">https://www.rbi.org.in/scripts/BS_NBFCNotificationView.aspx?Id=3706</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending'>http://editors.cis-india.org/raw/comments-on-the-rbi-consultation-paper-on-peer-to-peer-lending</a>
</p>
No publishersumandroPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T20:21:13ZBlog EntryRBI Consultation Paper on P2P Lending: Data Security and Privacy Concerns
http://editors.cis-india.org/raw/rbi-consultation-paper-on-p2p-lending
<b>On April 28, 2016 the Reserve Bank of India published a consultation paper on P2P Lending and invited comments from the public on the same. The Paper discusses what P2P lending is, the various regulatory practices that govern P2P lending in different jurisdictions and lists our arguments for and against regulating P2P lending platforms.</b>
<p> </p>
<h2>Arguments against Regulation</h2>
<p>The arguments against regulation of P2p lending companies as set out in the paper are (briefly):</p>
<ol><li>Regulating an exempt or nascent sector may be perceived as rubber stamping the industry through regulation, thus lending credibility to the P2P lending which could attract ill informed lenders to the sector who may not understand all the risks associated with the industry. In this way Regulation may cause more harm than good.</li>
<li>Regulations may also be perceived as too stringent, thus stifling the growth of an innovative, efficient and accessible industry.</li>
<li>The P2P lending market is currently in a nascent stage and does not pose an immediate systemic risk meriting regulation.</li></ol>
<p> </p>
<h2>Arguments in favour of Regulation</h2>
<p style="text-align: justify;">The arguments for regulating the market on the other hand are:</p>
<ol><li>Considering the significance of the online industry and the impact which it can have on the traditional banking channels/NBFC sector, it would be prudent to regulate this emerging industry.</li>
<li>The, the importance of these methods of financing, specially in sectors where formal lending cannot reach, needs to be acknowledged.</li>
<li>If the sector is left unregulated altogether, there is the risk of unhealthy practices being adopted by one or more players, which may have deleterious consequences.</li>
<li>Section 45S of RBI Act prohibits an individual or a firm or an unincorporated association of individuals from accepting deposits “if its business wholly or partly includes any of the activities specified in clause (c) of section 45-I (i.e. activities of a financial institution); or if his or its principal business is that of receiving of deposits under any scheme or arrangement or in any other manner, or lending in any manner. Contravention of Section 45S is an offence punishable under section 58B (5A) of RBI Act. As per the Act, ‘‘deposit’’ includes and shall be deemed always to have included any receipt of money by way of deposit or loan or in any other form, but does not include any amount received from an individual or a firm or an association of individuals not being a body corporate, registered under any enactment relating to money lending which is for the time being in force in any State. Since the borrowers and lenders brought together by a P2P platform could fall within these prohibitions, absence of regulation may lead to perpetrating an illegality.”</li></ol>
<p>After listing out the arguments, the paper adopts the approach of regulating this industry and proposes to bring P2P lending platforms under the purview of RBI’s regulation by defining them as Non Banking Financial Companies (NBFCs) under section 45-I(f)(iii) of the RBI Act. Once notified as NBFCs, RBI can issue regulations under sections 45JA and 45L. Though there is scope to comment on many aspects of the consultation paper our comments here will be limited to the data security and privacy aspects of the recommendations.</p>
<p> </p>
<h2>Data Security and Privacy Concerns</h2>
<p>While the understanding of potential borrowers, specially those who have had experiences with commercial financial institutions, is that the more amount of information they provide, the better their chances become of getting a loan. This perception emanates from the fact that any potential borrower is asked for a myriad of documents, including personally identifying documents before a request for a loan is considered, infact for almost all financial institutions it is part of their core prudential norms to ask for identity documents before disbursing a loan. Getting as much information as possible from the borrower is not just a quirk of the financial institutions but it makes business sense for them, since it is those institutions who bear the risk of recovery of their money. There is no reason why the same logic or allowing creditors all the information about the borrower should not be applicable to P2P lending platforms, as far as the principle of prudential business practices is concerned. However, the key difference between disclosing information to P2P lending platforms as opposed to financial institutions is that whilst the information supplied to financial institutions stays limited to the institution and its employees, a large amount of the information (though not necessarily all) given to P2P platforms is made available to all potential creditors, which in P2P lending translates to any internet user who registers as a potential creditor. In this way the potential for the information to reach a wider group of people is much higher and therefore privacy and data security risks require special attention in P2P lending.</p>
<p>In section 5.3(v) of the Paper it is recommended that “Confidentiality of the customer data and data security would be the responsibility of the Platform. Transparency in operations, adequate measures for data confidentiality and minimum disclosures to borrowers and lenders would also be mandated through a fair practices code.” Whilst the fair practices code has not yet been developed or at least not yet made publicly available, as companies in the P2P lending industry are body corporates, these fair practice codes should be in line with and satisfy the requirements of section 43A of the Information Technology Act, 2000 (“<strong>IT Act</strong>”) as well as the Guidelines issued by the RBI’s Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds <strong>[1]</strong>.</p>
<p>The minimum standards for data protection in Indian law have been laid down by section 43A of the IT Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“<strong>Rules</strong>”) issued under section 43A. As per Rule 4 of the Rules P2P platforms would be required to have a privacy policy to deal with sensitive personal data, which includes any details regarding financial information such bank account, credit/debit cards, etc <strong>[2]</strong>.</p>
<p>This policy would have to be published on the website of the platforms and would provide for a number of things such as (i) Clear and easily accessible statements of its practices and policies; (ii) type of personal or sensitive personal data or information collected; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information; (v) reasonable security practices and procedures for the data. The other requirements of the Rules as regards consent before usage of the information, collection limitations, imparting information/notice to the consumer (information provider), retention limitation, purpose limitation, opt-out option, disclosure, etc. will also be applicable to P2P platforms and the fair practices code that the RBI would issue for this purpose will have to take all these issues into account.</p>
<p style="text-align: justify;">The Rules also provide that body corporates will be considered to have complied with reasonable security practices if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Although there are no such practices which have been endorsed by any governmental body for P2P lending platforms, however the Department of Banking Supervision, Reserve Bank of India, has issued guidelines on “Information security, Electronic Banking, Technology risk management and cyber frauds" <strong>[3]</strong>. which could be relied upon until a fair practices code is put into place. The major privacy and data security provisions of these guidelines are given below:</p>
<ul>
<li><strong>Security Baselines</strong>: The guidelines require banks to be proactive in identifying and specifying the minimum security baselines to be adhered to by the service providers to ensure confidentiality and security of data;</li>
<li><strong>Back up records</strong>: A cloud computing system must ensure backup of all its clients' information;</li>
<li><strong>Security steps</strong>: An institution may take the following steps to ensure that risks with respect to confidentiality and security of data are adequately mitigated: (i) Address, agree, and document specific responsibilities of the respective parties in outsourcing; (ii) Discuss and agree on the instances where customer data shall be accessed; (iii) Ensure that service provider employees are adequately aware and informed on the security and privacy policies.</li>
<li><strong>Confidentiality</strong>: Agreements should provide for maintaining confidentiality of customer's information even after the contract expires or is terminated by either party and specify the liability in case of security breach or leakage.</li>
<li><strong>Encryption</strong>: Normally, a minimum of 128-bit SSL encryption is expected. Banks should only select encryption algorithms which are well established international standards.</li>
<li><strong>Fraud Risk Management</strong>: It is also necessary that customer confidential information and other data/information available with banks is secured adequately to ensure that fraudsters do not access it to perpetrate fraudulent transactions.</li></ul>
<p>Although inclusion of the above principles in the fair practices code would be helpful, however since the workings of P2P platforms are quite unique, therefore it would be counterproductive to restrict the security and privacy protocols to only those applied to regular banking transactions and the fair practices code should take into account these unique problems of P2P lending rather than seek to apply the existing norms blindly.</p>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p><strong>[2]</strong> The Rules define “sensitive personal data or information” as information relating to: "(i) password, (ii) financial information such as Bank account or credit card or debit card or other payment instrument details, (iii) physical, physiological and mental health condition, (iv) sexual orientation, (v) medical records and history, (vi) Biometric information, (vii) any detail relating to the above clauses as provided to body corporate for providing service, and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise."</p>
<p><strong>[3]</strong> See: <a href="http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf">http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/rbi-consultation-paper-on-p2p-lending'>http://editors.cis-india.org/raw/rbi-consultation-paper-on-p2p-lending</a>
</p>
No publishervipulPrivacyReserve Bank of IndiaData ProtectionResearchNetwork EconomiesP2P LendingResearchers at Work2016-06-01T11:41:17ZBlog EntryThe National Privacy Principles
http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles
<b>In this infographic, we try to break down the National Privacy Principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.</b>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p><img alt="" /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles'>http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaData ProtectionPrivacy2016-03-21T09:48:23ZBlog EntryContestations of Data, ECJ Safe Harbor Ruling and Lessons for India
http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india
<b>The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse. </b>
<p align="justify">The European Court of Justice
(ECJ) has invalidated a European Commission (EC) decision<a class="sdfootnoteanc" name="sdfootnote1anc" href="#sdfootnote1sym"><sup>1</sup></a>
which had previously concluded that the 'Safe Harbor Privacy
Principles'<a class="sdfootnoteanc" name="sdfootnote2anc" href="#sdfootnote2sym"><sup>2</sup></a>
provide adequate protections for European citizens’ privacy rights<a class="sdfootnoteanc" name="sdfootnote3anc" href="#sdfootnote3sym"><sup>3</sup></a>
for the transfer of personal data between European Union and United
States. This challenge stems from the claim that public law
enforcement authorities in America obtain personal data from
organisations in safe harbour for incompatible and disproportionate
purposes in violation of the Safe Harbour Privacy Principles. The
court's judgment follows the advice of the Advocate General of the
Court of Justice of the European Union (CJEU) who recently opined<a class="sdfootnoteanc" name="sdfootnote4anc" href="#sdfootnote4sym"><sup>4</sup></a>
that US practices allow for large-scale collection and transfer of
personal data belonging to EU citizens without them benefiting from
or having access to judicial protection under US privacy laws. The
inadequacies of the framework is not news for the Commission and
action by ECJ has been a long time coming. The ruling raises
important questions about how increasingly the contestations of
personal data are being employed in asserting claims of citizenship
in context of the internet.</p>
<p align="justify">
As the highest court in Europe,
the ECJ's decisions are binding on all member states. With this
ruling the ECJ has effectively restrained US firms from
indiscriminate collection and sharing of European citizens’ data on
American soil. The implications of the decision are significant,
because it shifts the onus of evaluating protections of personal data
for EU citizens from the 4,400 companies<a class="sdfootnoteanc" name="sdfootnote5anc" href="#sdfootnote5sym"><sup>5</sup></a>
subscribing to the system onto EU privacy watchdogs. Most
significantly, in addressing the rights of a citizen against an
established global brand, the judgement goes beyond political and
legal opinion to challenge the power imbalance that exists with
reference to US based firms.</p>
<p align="justify">
Today, the free movement of data
across borders is a critical factor in facilitating trade, financial
services, governance, manufacturing, health and development. However,
to consider the ruling as merely a clarification of transatlantic
mechanisms for data flows misstates the real issue. At the heart of
the judgment is the assessment whether US firms apply the tests of
‘necessity and proportionality’ in the collection and
surveillance of data for national security purposes. Application of
necessity and proportionality test to national security exceptions
under safe harbor has been a sticking point that has stalled the
renegotiation of the agreement that has been underway between the
Commission and the American data protection authorities.<a class="sdfootnoteanc" name="sdfootnote6anc" href="#sdfootnote6sym"><sup>6</sup></a></p>
<p align="justify">
For EU citizens the stake in the
case are even higher, as while their right to privacy is enshrined
under EU law, they have no administrative or judicial means of
redress, if their data is used for reasons they did not intend. In
the EU, citizens accessing and agreeing to use of US based firms are
presented with a false choice between accessing benefits and giving
up on their fundamental right to privacy. In other words, by seeking
that governments and private companies provide better data protection
for the EU citizens and in restricting collection of personal data on
a generalised basis without objective criteria, the ruling is
effectively an assertion of ‘data sovereignty’. The term ‘data
sovereignty’, while lacking a firm definition, refers to a spectrum
of approaches adopted by different states to control data generated
in or passing through national internet infrastructure.<a class="sdfootnoteanc" name="sdfootnote7anc" href="#sdfootnote7sym"><sup>7</sup></a>
Underlying the ruling is the growing policy divide between the US and
EU privacy and data protection standards, which may lead to what is
referred to as the balkanization<a class="sdfootnoteanc" name="sdfootnote8anc" href="#sdfootnote8sym"><sup>8</sup></a>
of the internet in the future.</p>
<p align="justify">
<em>US-EU Data Protection Regime </em></p>
<p align="justify">
The safe harbor pact between the
EU and US was negotiated in the late 1990s as an attempt to bridge
the different approaches to online privacy. Privacy is addressed in
the EU as a fundamental human right while in the US it is defined
under terms of consumer protection, which<em><strong>
</strong></em>allow trade-offs
and exceptions when national security seems to be under threat. In
order to address the lower standards of data protection prevalent in
the US, the pact facilitates data transfers from EU to US by
establishing certain safeguards equivalent to the requirements of the
EU data protection directive. The safe harbor provisions include
firms undertaking not to pass personal information to third parties
if the EU data protection standards are not met and giving users
right to opt out of data collection.<a class="sdfootnoteanc" name="sdfootnote9anc" href="#sdfootnote9sym"><sup>9</sup></a></p>
<p align="justify">
The agreement was due to be
renewed by May 2015<a class="sdfootnoteanc" name="sdfootnote10anc" href="#sdfootnote10sym"><sup>10</sup></a>
and while negotiations have been ongoing for two years, EU discontent
on safe harbour came to the fore following the Edward Snowden
revelations of collection and monitoring facilitated by large private
companies for the PRISM program and after the announcement of the
TransAtlantic Trade and Investment Partnership (TTIP).<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><sup>11</sup></a>
EU member states have mostly stayed silent as they run their own
surveillance programs often times, in cooperation with the NSA. EU
institutions cannot intervene in matters of national security
however, they do have authority on data protection matters. European
Union officials and Members of Parliament have expressed shock and
outrage at the surveillance programs unveiled by Snowden's 2013
revelations. Most recently, following the CJEU Advocate General’s
opinion, 50 Members of European Parliament (MEP) sent a strongly
worded letter the US Congress hitting back on claims of ‘digital
protectionism’ emanating from the US<a class="sdfootnoteanc" name="sdfootnote12anc" href="#sdfootnote12sym"><sup>12</sup></a>.
In no uncertain terms the letter clarified that the EU has different
ideas on privacy, platforms, net neutrality, encryption, Bitcoin,
zero-days, or copyright and will seek to improve and change any
proposal from the EC in the interest of our citizens and of all
people.</p>
<p align="justify">
<em>Towards Harmonization </em></p>
<p align="justify">
In November 2013, as an attempt
to minimize the loss of trust following the Snowden revelations, the
European Commission (EC) published recommendations in its report on
'Rebuilding Trust is EU-US Data Flows'.<a class="sdfootnoteanc" name="sdfootnote13anc" href="#sdfootnote13sym"><sup>13</sup></a>
The recommendations revealed two critical initiatives at the EU
level—first was the revision of the EU-US safe harbor agreement<a class="sdfootnoteanc" name="sdfootnote14anc" href="#sdfootnote14sym"><sup>14</sup></a>
and second the adoption of the 'EU-US Umbrella Agreement<a class="sdfootnoteanc" name="sdfootnote15anc" href="#sdfootnote15sym"><sup>15</sup></a>'—a
framework for data transfer for the purpose of investigating,
detecting, or prosecuting a crime, including terrorism. The Umbrella
Agreement was recently initialed by EU and US negotiators and it only
addresses the exchange of personal data between law enforcement
agencies.<a class="sdfootnoteanc" name="sdfootnote16anc" href="#sdfootnote16sym"><sup>16</sup></a>
The Agreement has gained momentum in the wake of recent cases around
issues of territorial duties of providers, enforcement jurisdictions
and data localisation.<a class="sdfootnoteanc" name="sdfootnote17anc" href="#sdfootnote17sym"><sup>17</sup></a>
However, the adoption of the Umbrella Act depends on US Congress
adoption of the<em><strong>
</strong></em>Judicial Redress
Act (JRA) as law.<a class="sdfootnoteanc" name="sdfootnote18anc" href="#sdfootnote18sym"><sup>18</sup></a></p>
<p align="justify">
<em>Judicial Redress Act </em></p>
<p align="justify">
The JRA is a key reform that the
EC is pushing for in an attempt to address the gap between privacy
rights and remedies available to US citizens and those extended to EU
citizens, including allowing EU citizens to sue in American courts.
The JRA seeks to extend certain protections under the Privacy Act to
records shared by EU and other designated countries with US law
enforcement agencies for the purpose of investigating, detecting, or
prosecuting criminal offenses. The JRA protections would extend to
records shared under the Umbrella Agreement and while it does include
civil remedies for violation of data protection, as noted by the
Center for Democracy and Technology, the present framework does not
provide citizens of EU countries with redress that is at par with
that which US persons enjoy under the Privacy Act.<a class="sdfootnoteanc" name="sdfootnote19anc" href="#sdfootnote19sym"><sup>19</sup></a></p>
<p align="justify">
For example, the measures
outlined under the JRA would only be applicable to countries that
have outlined appropriate privacy protections agreements for data
sharing for investigations and ‘efficiently share’ such
information with the US. Countries that do not have agreements with
US cannot seek these protections leaving the personal data of their
citizens open for collection and misuse by US agencies. Further, the
arrangement leaves determination of 'efficiently sharing' in the
hands of US authorities and countries could lose protection if they
do not comply with information sharing requests promptly. Finally,
JRA protections do not apply to non-US persons nor to records shared
for purposes other than law enforcement such as intelligence
gathering. JRA is also weakened by allowing heads of agencies to
exercise their discretion to seek exemption from the Act and opt out
of compliance.</p>
<p align="justify">
Taken together the JRA, the
Umbrella Act and the renegotiation of the Safe Harbor Agreement need
considerable improvements. It is worth noting that EU’s acceptance
of the redundancy of existing agreements and in establishing the
independence of national data protection authorities in investigating
and enforcing national laws as demonstrated in the Schrems and in the
Weltimmo<a class="sdfootnoteanc" name="sdfootnote20anc" href="#sdfootnote20sym"><sup>20</sup></a>
case point to accelerated developments in the broader EU privacy
landscape.</p>
<p align="justify">
<em>Consequences </em></p>
<p align="justify">
The ECJ Safe Harbor ruling will
have far-reaching consequences for the online industry. Often, costly
government rulings solidify the market dominance of big companies. As
high regulatory costs restrict the entrance of small and medium
businesses the market, competition is gradually wiped out. Further,
complying with high standards of data protection means that US firms
handling European data will need to consider alternative legal means
of transfer of personal data. This could include evolving 'model
contracts' binding them to EU data protection standards. As Schrems
points out, “Big companies don’t only rely on safe harbour: they
also rely on binding corporate rules and standard contractual
clauses.”<a class="sdfootnoteanc" name="sdfootnote21anc" href="#sdfootnote21sym"><sup>21</sup></a></p>
<p align="justify">
The ruling is good news for
European consumers, who can now approach a national regulator to
investigate suspicions of data mishandling. EU data protection
regulators may be be inundated with requests from companies seeking
authorization of new contracts and with consumer complaints. Some are
concerned that the ruling puts a dent in the globalized flow of
data<a class="sdfootnoteanc" name="sdfootnote22anc" href="#sdfootnote22sym"><sup>22</sup></a>,
effectively requiring data localization in Europe.<a class="sdfootnoteanc" name="sdfootnote23anc" href="#sdfootnote23sym"><sup>23</sup></a>
Others have pointed out that it is unclear how this decision sits
with other trade treaties such as the TPP that ban data
localisation.<a class="sdfootnoteanc" name="sdfootnote24anc" href="#sdfootnote24sym"><sup>24</sup></a>
While the implications of the decision will take some time in playing
out, what is certain is that US companies will be have to
restructure management, storage and use of data. The ruling has
created the impetus for India to push for reforms to protect its
citizens from harms by US firms and improve trade relations with EU.</p>
<p align="justify"><em>The Opportunity for India</em></p>
<p align="justify">
Multiple data flows taking place
over the internet simultaneously and that has led to ubiquity of data
transfers o ver the Internet, exposing individuals to privacy risks.
There has also been an enhanced economic importance of data
processing as businesses collect and correlate data using analytic
tools to create new demands, establish relationships and generate
revenue for their services. The primary concern of the Schrems case
may be the protection of the rights of EU citizens but by seeking to
extend these rights and ensure compliance in other jurisdictions, the
case touches upon many underlying contestations around data and
sovereignty.</p>
<p align="justify">
Last year, Mr Ram Narain, India
Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through
network functionality and global norms will go a long way in
increasing the trust and confidence in use of ICT.”<a class="sdfootnoteanc" name="sdfootnote25anc" href="#sdfootnote25sym"><sup>25</sup></a>
In the absence of the recognition of privacy as a right and
empowering citizens through measures or avenues to seek redressal
against misuse of data, the demand of data sovereignty rings empty.
The kind of framework which empowered an ordinary citizen in the EU
to approach the highest court seeking redressal based on presumed
overreach of a foreign government and from harms abetted by private
corporations simply does not exist in India. Securing citizen’s
data in other jurisdictions and from other governments begins with
establishing protection regimes within the country.</p>
<p align="justify">
The Indian government has also
stepped up efforts to restrict transfer of data from India including
pushing for private companies to open data centers in India.<a class="sdfootnoteanc" name="sdfootnote26anc" href="#sdfootnote26sym"><sup>26</sup></a>
Negotiating data localisation does not restrict the power of private
corporations from using data in a broad ways including tailoring ads
and promoting products. Also, data transfers impact any organisation
with international operations for example, global multinationals who
need to coordinate employee data and information. Companies like
Facebook, Google and Microsoft transfer and store data belonging to
Indian citizens and it is worth remembering that the National
Security Agency (NSA) would have access to this data through servers
of such private companies. With no existing measures to restrict such
indiscriminate access, the ruling purports to the need for India to
evolve strong protection mechanisms. Finally, the lack of such
measures also have an economic impact, as reported in a recent
Nasscom-Data Security Council of India (DSCI) survey<a class="sdfootnoteanc" name="sdfootnote27anc" href="#sdfootnote27sym"><sup>27</sup></a>
that pegs revenue losses incurred by the Indian IT-BPO industry at
$2-2.5 billion for a sample size of 15 companies. DSCI has further
estimated that outsourcing business can further grow by $50 billion
per annum once India is granted a “data secure” status by the
EU.<a class="sdfootnoteanc" name="sdfootnote28anc" href="#sdfootnote28sym"><sup>28</sup></a>
EU’s refusal to grant such a status is understandable given the
high standard of privacy as incorporated under the European Union
Data Protection Directive a standard to which India does not match
up, yet. The lack of this status prevents the flow of data which is
vital for Digital India vision and also affects the service industry
by restricting the flow of sensitive information to India such as
information about patient records.</p>
<p align="justify">
Data and information structures
are controlled and owned by private corporations and networks
transcend national borders, therefore the foremost emphasis needs to
be on improving national frameworks. While, enforcement mechanisms
such as the Mutual Legal Assistance Treaty (MLAT) process or other
methods of international cooperation may seem respectful of
international borders and principles of sovereignty,<a class="sdfootnoteanc" name="sdfootnote29anc" href="#sdfootnote29sym"><sup>29</sup></a>
for users that live in undemocratic or oppressive regimes such
agreements are a considerable risk. Data is also increasingly being
stored across multiple jurisdictions and therefore merely applying
data location lens to protection measures may be too narrow. Further
it should be noted that when companies begin taking data storage
decisions based on legal considerations it will impact the speed and
reliability of services.<a class="sdfootnoteanc" name="sdfootnote30anc" href="#sdfootnote30sym"><sup>30</sup></a>
Any future regime must reflect the challenges of data transfers
taking place in legal and economic spaces that are not identical and
may be in opposition. Fundamentally, the protection of privacy will
always act as a barrier to the free flow of information even so, as
the Schrems case ruling points out not having adequate privacy
protections could also restrict flow of data, as has been the case
for India.</p>
<p align="justify">
The time is right for India to
appoint a data controller and put in place national frameworks, based
on nuanced understanding of issues of applying jurisdiction to govern
users and their data. Establishing better protection measures will
not only establish trust and enhance the ability of users to control
data about themselves it is also essential for sustaining economic
and social value generated from data generation and collection.
Suggestions for such frameworks have been considered previously by
the Group of Experts on Privacy constituted by the Planning
Commission.<a class="sdfootnoteanc" name="sdfootnote31anc" href="#sdfootnote31sym"><sup>31</sup></a>
By incorporating transparency in mechanisms for data and access
requests and premising requests on established necessity and
proportionality Indian government can lead the way in data protection
standards. This will give the Indian government more teeth to
challenge and address both the dangers of theft of data stored on
servers located outside of India and restrain indiscriminate access
arising from terms and conditions of businesses that grant such
rights to third parties. </p>
<div id="sdfootnote1">
<p>
<a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and
related frequently asked questions issued by the US Department of
Commerce (notified under document number C(2000) 2441) (Text with
EEA relevance.) <em>Official
Journal L 215 , 25/08/2000 P. 0007 -0047 </em>
2000/520/EC:
<u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">http</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">://</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eur</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">-</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">lex</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">europa</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eu</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">do</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">?</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">uri</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">=</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">CELEX</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:32000</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">D</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">0520:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">EN</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">HTML</a></u></p>
</div>
<div id="sdfootnote2">
<p>
<a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>
Safe Harbour Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote3">
<p>
<a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>
Megan Graham, <a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Some</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">on</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">the</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">European</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Court</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">’</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">s</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">,
</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Just</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">security</a></p>
<p>
<u><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">https</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">://</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">www</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">justsecurity</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">org</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/26651/</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">ecj</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/</a></u></p>
</div>
<div id="sdfootnote4">
<p>
<a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>
Advocate
General’s Opinion in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner Court of Justice of the European Union,
Press Release, No 106/15 Luxembourg, 23 September 2015
<u><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">http</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">://</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">curia</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">europa</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">eu</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">jcms</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">upload</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">docs</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">application</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/2015-09/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">cp</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">150106</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">en</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote5">
<p>
<a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour
alternatives’, The Register, October 7, 2015
<u><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">http</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">://</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">www</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">theregister</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">co</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">uk</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/2015/10/07/</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">eu</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">pushes</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">safe</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">harbour</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">alternatives</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/</a></u> </p>
</div>
<div id="sdfootnote6">
<p>
<a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
Draft Report, General Data Protection Regulation, Committee on Civil
Liberties, Justice and Home Affairs, European Parliament, 2009-2014
<a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">http</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">://</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">www</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europarl</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europa</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">eu</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">meetdocs</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/2009_2014/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">documents</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">libe</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pr</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/922/922387/922387</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">en</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pdf</a></p>
</div>
<div id="sdfootnote7">
<p>
<a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS
Characteristics: Data Sovereignty and the Balkanisation of the
Internet’, University of Oxford, July 7, 2014
<u><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">https</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">://</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">www</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">usenix</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">org</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">system</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">files</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">conference</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">polatin</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">reuben</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote8">
<p>
<a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
Sasha
Meinrath, The Future of the Internet: Balkanization and Borders,
Time, October 2013
<u><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">http</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">://</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">ideas</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">time</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">com</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/2013/10/11/</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">future</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">of</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">internet</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">balkanization</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">and</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">borders</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/</a></u></p>
</div>
<div id="sdfootnote9">
<p>
<a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
Safe Harbour Privacy Principles, Issued by the U.S. Department of
Commerce, July 2001
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote10">
<p>
<a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a>
Facebook
case may force European firms to change data storage practices, The
Guardian, September 23, 2015
<u><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">http</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">://</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">www</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">theguardian</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">com</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">news</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/2015/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">sep</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/23/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">intelligence</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">services</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">surveillance</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">privacy</a></u></p>
</div>
<div id="sdfootnote11">
<p>
<a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>
Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013
<u><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">https</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">://</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">iapp</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">.</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">org</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">news</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">a</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">us</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">eu</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">safe</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">harbor</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">under</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">pressure</a></u></p>
</div>
<div id="sdfootnote12">
<p>
<a class="sdfootnotesym" name="sdfootnote12sym" href="#sdfootnote12anc">12</a>
Kieren
McCarthy, Privacy, net neutrality, security, encryption ... Europe
tells Obama, US Congress to back off, The Register, 23 September,
2015
<u><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">http</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">://</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">www</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">theregister</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">co</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">uk</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/2015/09/23/</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">european</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">politicians</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">to</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">congress</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">back</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">off</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/</a></u></p>
</div>
<div id="sdfootnote13">
<p>
<a class="sdfootnotesym" name="sdfootnote13sym" href="#sdfootnote13anc">13</a>
Communication from the Commission to the European Parliament and the
Council, Rebuilding Trust in EU-US Data Flows, European Commission,
November 2013
<u><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">http</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">://</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">ec</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">europa</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">eu</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">justice</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">data</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">-</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">protection</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">files</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">com</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">_2013_846_</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">en</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote14">
<p>
<a class="sdfootnotesym" name="sdfootnote14sym" href="#sdfootnote14anc">14</a>
Safe
Harbor on trial in the European Union, Access Blog, September 2014
<u><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">https</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">://</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">www</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">accessnow</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">org</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">blog</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/2014/11/13/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">safe</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">harbor</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">on</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">trial</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">in</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">the</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">european</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">union</a></u></p>
</div>
<div id="sdfootnote15">
<p>
<a class="sdfootnotesym" name="sdfootnote15sym" href="#sdfootnote15anc">15</a>
European
Commission - Fact Sheet Questions and Answers on the EU-US data
protection "Umbrella agreement", September 8, 2015
<u><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">http</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">://</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">europa</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">eu</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">rapid</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">press</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">release</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">MEMO</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-15-5612_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">en</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">htm</a></u> </p>
</div>
<div id="sdfootnote16">
<p>
<a class="sdfootnotesym" name="sdfootnote16sym" href="#sdfootnote16anc">16</a>
McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data
transfers’, Lexology, September 14, 2015
<u><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">http</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">://</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">www</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">lexology</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">com</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">library</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">detail</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">aspx</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">?</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">g</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">=422</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">bca</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">41-2</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">54-4648-</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">ae</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">57-00</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">678515</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">e</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">1</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">f</a></u></p>
</div>
<div id="sdfootnote17">
<p>
<a class="sdfootnotesym" name="sdfootnote17sym" href="#sdfootnote17anc">17</a>
Andrew
Woods, Lowering the Temperature on the Microsoft-Ireland Case,
Lawfare September, 2015
<u><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">https</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">://</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">www</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lawfareblog</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">com</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">/</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lowering</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">temperature</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">microsoft</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">ireland</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">case</a></u></p>
</div>
<div id="sdfootnote18">
<p>
<a class="sdfootnotesym" name="sdfootnote18sym" href="#sdfootnote18anc">18</a>
Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement
and the Judicial Redress Act: Small Steps Forward for EU Citizens’
Privacy Rights’, October 5, 2015
<u><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">https</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">://</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">cdt</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">.</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">org</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">blog</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">us</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">umbrella</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">agreement</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">and</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">judicial</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">redress</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">act</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">small</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">steps</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">forward</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">for</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">citizens</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">privacy</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">rights</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a></u></p>
</div>
<div id="sdfootnote19">
<p>
<a class="sdfootnotesym" name="sdfootnote19sym" href="#sdfootnote19anc">19</a>
Ibid 18.</p>
</div>
<div id="sdfootnote20">
<p>
<a class="sdfootnotesym" name="sdfootnote20sym" href="#sdfootnote20anc">20</a>
Landmark ECJ data protection ruling could impact Facebook and
Google, The Guardian, 2 October, 2015
<u><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">http</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">://</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">www</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">com</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">technology</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">oct</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/02/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">landmark</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ecj</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">data</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">protection</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ruling</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">google</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">weltimmo</a></u></p>
</div>
<div id="sdfootnote21">
<p>
<a class="sdfootnotesym" name="sdfootnote21sym" href="#sdfootnote21anc">21</a>
Julia Powles, Tech companies like Facebook not above the law, says
Max Schrems, The Guardian, Octover 9, 2015
<a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">http</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">://</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">www</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">com</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">technology</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">oct</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/09/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">data</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">privacy</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">max</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">schrems</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">european</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">court</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">of</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">justice</a></p>
</div>
<div id="sdfootnote22">
<p>
<a class="sdfootnotesym" name="sdfootnote22sym" href="#sdfootnote22anc">22</a>
Adam
Thierer,
Unintended
Consequences of the EU Safe Harbor Ruling, The Technology Liberation
Front, October 6, 2015
<u><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">http</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">://</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">techliberation</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">.</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">com</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/2015/10/06/</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">unintended</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">consequenses</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">of</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">the</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">eu</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">safe</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">harbor</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">ruling</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/#</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">more</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-75831</a></u></p>
</div>
<div id="sdfootnote23">
<p>
<a class="sdfootnotesym" name="sdfootnote23sym" href="#sdfootnote23anc">23</a>
Anupam
Chander, Tweeted ECJ<a href="https://twitter.com/hashtag/schrems?src=hash">
#</a><a href="https://twitter.com/hashtag/schrems?src=hash">schrems</a>
ruling may effectively require data localization within Europe,
<u><a href="https://twitter.com/AnupamChander/status/651369730754801665">https</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">://</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">twitter</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">.</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">com</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">AnupamChander</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">status</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/651369730754801665</a></u></p>
</div>
<div id="sdfootnote24">
<p>
<a class="sdfootnotesym" name="sdfootnote24sym" href="#sdfootnote24anc">24</a>
Lokman Tsui, Tweeted, “If the TPP bans data localization, but the
ECJ ruling effectively mandates it, what does that mean for the
internet?”
<u><a href="https://twitter.com/lokmantsui/status/651393867376275456">https</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">://</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">twitter</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">.</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">com</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">lokmantsui</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">status</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/651393867376275456</a></u></p>
</div>
<div id="sdfootnote25">
<p>
<a class="sdfootnotesym" name="sdfootnote25sym" href="#sdfootnote25anc">25</a>
Statement from Indian Head of Delegation, Mr Ram Narain for WGPL,
<a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Indian</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">statement</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">on</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">ITU</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">and</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Internet</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">at</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">the</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Working</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Group</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Plenary</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">November</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">
4, 2014 </a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">https</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">://</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">ccgnludelhi</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">wordpress</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">com</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">author</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">asukum</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">87/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">page</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/2/</a></p>
</div>
<div id="sdfootnote26">
<p>
<a class="sdfootnotesym" name="sdfootnote26sym" href="#sdfootnote26anc">26</a>
Sounak
Mitra, Xiaomi bets big on India despite problems, Business Standard,
December 2014
<u><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">http</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">://</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">www</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">business</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">standard</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">com</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">article</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">companies</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">xiaomi</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">bets</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">big</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">on</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">india</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">despite</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">problems</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-114122201023_1.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">html</a></u></p>
</div>
<div id="sdfootnote27">
<p>
<a class="sdfootnotesym" name="sdfootnote27sym" href="#sdfootnote27anc">27</a>
Neha
Alawadi, Ruling on data flow between EU & US may impact India’s
IT sector, Economic Times,October 7, 2015
<a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">http</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49250738.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></p>
</div>
<div id="sdfootnote28">
<p>
<a class="sdfootnotesym" name="sdfootnote28sym" href="#sdfootnote28anc">28</a>
Pranav Menon, Data Protection Laws in India and Data Security-
Impact on India and Data Security-Impact on India - EU Free Trade
Agreement, CIS Access to Knowledge, 2011
<u><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">http</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">://</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">cis</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">org</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">a</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">2</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">k</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">blogs</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">data</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">security</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">laws</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote29">
<p>
<a class="sdfootnotesym" name="sdfootnote29sym" href="#sdfootnote29anc">29</a>
Surendra
Kumar Sinha, India wants Mutual Legal Assistance treaty with
Bangladesh, Economic Times, October 7, 2015
h<u><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">ttp</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49262294.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></u></p>
</div>
<div id="sdfootnote30">
<p>
<a class="sdfootnotesym" name="sdfootnote30sym" href="#sdfootnote30anc">30</a>
Pablo
Chavez, Director, Public Policy and Government Affairs, Testifying
before the U.S. Senate on transparency legislation, November 3,
2013
<u><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">http</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">://</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">googlepublicpolicy</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">blogspot</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">in</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">/2013/11/</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">testifying</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">before</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">us</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">senate</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">on</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">htm</a></u> </p>
</div>
<div id="sdfootnote31">
<p>
<a class="sdfootnotesym" name="sdfootnote31sym" href="#sdfootnote31anc">31</a>
Report
of the Group of Experts on Privacy (Chaired by Justice A P Shah,
Former Chief Justice, Delhi High Court), Planning Commission,
October 2012
<u><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">://</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">planningcommission</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">nic</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">in</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">reports</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">genrep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">rep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">_</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">privacy</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">pdf</a></u></p>
<p align="justify"> </p>
</div>
<div id="sdfootnote31">
<p align="justify"> </p>
</div>
<div id="sdfootnote30"> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india'>http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india</a>
</p>
No publisherjyotiAccess to KnowledgeDigital EconomyPublic AccountabilityPrivacyPlatform ResponsibilityData ProtectionAccountabilityDigital SecurityDigital IndiaInternet Governance2015-10-14T14:40:08ZBlog EntryCentre for Internet and Society joins the Dynamic Coalition for Platform Responsibility
http://editors.cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility
<b>The Centre for Internet and Society (CIS) has joined the multistakeholder cooperative engagement amidst stakeholders towards creating Due Diligence Recommendations for online platforms and Model Contractual Provisions to be enshrined in ToS. This blog provides a brief background of the role of dynamic coalitions within the IGF structure, establishes the need for the coalition and provides an update on the action plan and next steps for interested stakeholders.</b>
<p class="callout" style="text-align: justify; ">"Identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations."<br />Tunis Agenda (Para 72.g)</p>
<p style="text-align: justify; ">The first United Nations Internet Governance Forum (IGF), in 2006 saw the emergence of the concept of Dynamic Coalition and a number of coalitions have been established over the years. The IGF is structured to bring together multistakeholder groups to,</p>
<p class="callout" style="text-align: justify; ">"Discuss public policy issues related to key elements of Internet governance in order to foster the sustainability, robustness, security, stability and development of the Internet."<br />Tunis Agenda (Para 72.a)</p>
<p style="text-align: justify; ">While IGF workshops allow various stakeholders to jointly analyse "hot topics" or to examine progress that such issues have undertaken since the previous IGF, dynamic coalitions are informal, issue-specific groups comprising members of various stakeholder groups. With no strictures upon the objects, structure or processes of dynamic coalitions claiming association with the IGF, and no formal institutional affiliation, nor any access to the resources of the IGF Secretariat, IGF Dynamic Coalitions allow collaboration of anyone interested in contributing to their discussions. Currently, there are eleven active dynamic coalitions at the IGF and can be divided into three distinct types—networks, working groups and Birds of Feather (BOFs).</p>
<p style="text-align: justify; ">Workshops at the IGF are content specific events that, though valuable in informing participants, are limited in their impact by being confined to the launch of a report or by the issues raised within the conference room. The coalitions on the other hand are expected to have a broader function, acting as a coalescing point for interested stakeholders to gather and analyse progress around identified issues and plan next steps. The coalitions can also make recommendations around issues, however, no mechanism has been developed so far, by which the recommendations can be considered by the plenary body. The long-term nature of coalition is perhaps, most suited to engage stakeholders in heterogeneous groups, towards understanding and cooperating around emerging issues and to make recommendations to inform policy making.</p>
<h3 style="text-align: justify; ">Platform Responsibility</h3>
<p style="text-align: justify; ">Social networks and other interactive online services, give rise to 'cyber-spaces' where individuals gather, express their personalities and exchange information and ideas. The transnational and private nature of such platforms means that they are regulated through contractual provisions enshrined in the platforms' Terms of Service (ToS). The provisions delineated in the ToS not only extend to users in spite of their geographical location, the private decisions undertaken by platform providers in implementing the ToS are not subject to constitutional guarantees framed under national jurisdictions.</p>
<p style="text-align: justify; ">While ToS serve as binding agreement online, an absence of binding international rules in this area despite the universal nature of human rights represented is a real challenge, and makes it necessary to engage in a multistakeholder effort to produce model contractual provisions that can be incorporated in ToS. The concept of 'platform responsibility' aims to stimulate behaviour in platform providers to provide intelligible and solid mechanisms, in line with the principles laid out by the UN Guiding Principles on Business and Human Rights and equip platform users with common and easy-to-grasp tools to guarantee the full enjoyment of their human rights online. The utilisation of model contractual provisions in ToS may prove instrumental in fostering trust in online services for content production, use and dissemination, increasing demand of services and ultimately consumer demand may drive the market towards human rights compliant solutions.</p>
<h3 style="text-align: justify; ">The Dynamic Coalition on Platform Responsibility</h3>
<p style="text-align: justify; ">To nurture a multi-stakeholder endeavour aimed at the elaboration of model contractual-provisions, Mr. Luca Belli, Council of Europe / Université Paris II, Ms Primavera De Filippi, CNRS / Berkman Center for Internet and Society and Mr Nicolo Zingales, Tilburg University / Center for Technology and Society Rio, initiated and facilitated the creation of the Dynamic Coalition on Platform Responsibility (DCPR). DCPR has over fifty individual and organisational members from civil society organisations, academia, private sector organisations and intergovernmental organisations and held its first meeting at the IGF in Istanbul. The meeting began with an overview of the concept of platform responsibility, highlighting relevant initiatives from Council of Europe, Global Network Initiative, Ranking Digital Rights and the Center for Democracy and Technology have undertaken in this regard. Existing issues such as difficulty in comprehension and lack of standardization of redress across rights were raised along with the fundamental lack of due process in terms of transparency across existing mechanisms.</p>
<p style="text-align: justify; ">Online platforms compliance to human rights is often framed around the duty of States to protect human rights and often, Internet companies do not sufficient consideration of the effects of their business practices on users fundamental rights undermining trust.</p>
<p style="text-align: justify; ">The meeting focused it efforts with a call to identify issues of process and substance and specific rights and challenges to be addressed by the DCPR. The procedural issues raised concerned 'responsibility' in decision-making e.g., giving users the right to be heard and an effective remedy before an impartial decision-making body, and obtaining their consent for changes in the contractual terms. The concerns raised around substantive rights such as privacy and freedom of expression eg., disclosure of personal information and content removal and need to promote 'responsibility' through establishing concrete mechanisms to deal with such issues.</p>
<p style="text-align: justify; ">It was suggested that concept of responsibility including in case of conflict between different rights could be grounded in Human Rights case law eg., from European Court of Human Rights jurisprudence. It was also established that any framework that would evolve from this coalition would consider the distinction between users (eg., adults, children, and people with or without continuous access to the Internet) and platforms (eg., in terms of size and functionality).</p>
<h3 style="text-align: justify; ">Action Plan</h3>
<p style="text-align: justify; ">The participants at the DCPR meeting agreed to establish a multistakeholder cooperative engagement amidst stakeholders that will go beyond dialogue and produce concrete proposals. Particularly, participants suggested developing:</p>
<ol>
<li style="text-align: justify; ">Due Diligence Recommendations: Recommendations to online platforms with regard to processes of compliance with internationally agreed human rights standards.</li>
<li style="text-align: justify; ">Model Contractual Provisions: Elaboration of a set of principles and provisions protecting platform users’ rights and guaranteeing transparent mechanisms to seek redress in case of violations.</li>
</ol>
<p style="text-align: justify; ">DCPR will ground the development of these frameworks in the preliminary step of compilation of existing projects and initiatives dealing with the analysis of ToS compatibility with human rights standards. Members, participants and interested stakeholders are invited to highlight and share relevant initiatives by 10th October regarding:</p>
<ol>
<li>Processes of due diligence for human rights compliance;</li>
<li>The evaluation of ToS cocompliance with human rights standards;</li>
</ol>
<p style="text-align: justify; ">Further to this compilation, a first recommendation draft regarding online platforms' due diligence will be circulated on the mailing list by 30th October 2014. CIS will be contributing to the drafting which will be led and elaborated by the DCPR coordinators. This draft will be open for comments via the DCPR mailing list until 30th November 2014 and we encourage you to sign up to the mailing list (<a class="external-link" href="http://lists.platformresponsibility.info/listinfo/dcpr">http://lists.platformresponsibility.info/listinfo/dcpr</a>).<br /><br />A second draft will be developed compiling the comments expressed via the mailing-list and shared for comments by 10 December 2014. The final version of the recommendation will be drafted by 30 December. Subsequently, the first set of model contractual provisions will be elaborated building upon such recommendation. A call for inputs will be issued in order to gather suggestions on the content of these provisions.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility'>http://editors.cis-india.org/internet-governance/blog/cis-joins-dynamic-coalition-for-platform-responsibility</a>
</p>
No publisherjyotiHuman RightsPrivacyInternet Governance ForumData ProtectionTerms of ServiceInternet GovernancePlatform ResponsibilityIntermediary Liability2014-10-07T10:54:03ZBlog EntryReading the Fine Script: Service Providers, Terms and Conditions and Consumer Rights
http://editors.cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights
<b>This year, an increasing number of incidents, related to consumer rights and service providers, have come to light. This blog illustrates the facts of the cases, and discusses the main issues at stake, namely, the role and responsibilities of providers of platforms for user-created content with regard to consumer rights.</b>
<p style="text-align: justify; "><span>On 1st July, 2014 the Federal Trade Commission (FTC) filed a complaint against T-Mobile USA,</span><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn1">[1]</a><span> accusing the service provider of 'cramming' customers bills, with millions of dollars of unauthorized charges. Recently, another service provider, received flak from regulators and users worldwide, after it published a paper, 'Experimental evidence of massive-scale emotional contagion through social networks'.</span><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn2">[2]</a><span> The paper described Facebook's experiment on more than 600,000 users, to determine whether manipulating user-generated content, would affect the emotions of its users.</span></p>
<p style="text-align: justify; ">In both incidents the terms that should ensure the protection of their user's legal rights, were used to gain consent for actions on behalf of the service providers, that were not anticipated at the time of agreeing to the terms and conditions (T&Cs) by the consumer. More precisely, both cases point to the underlying issue of how users are bound by T&Cs, and in a mediated online landscape—highlight, the need to pay attention to the regulations that govern the online engagement of users.</p>
<p style="text-align: justify; "><b>I have read and agree to the terms</b></p>
<p style="text-align: justify; ">In his statement, Chief Executive Officer, John Legere might have referred to T-Mobile as "the most pro-consumer company in the industry",<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn3">[3]</a> however the FTC investigation revelations, that many customers never authorized the charges, suggest otherwise. The FTC investigation also found that, T-Mobile received 35-40 per cent of the amount charged for subscriptions, that were made largely through innocuous services, that customers had been signed up to, without their knowledge or consent. Last month news broke, that just under 700,000 users 'unknowingly' participated in the Facebook study, and while the legality and ethics of the experiment are being debated, what is clear is that Facebook violated consumer rights by not providing the choice to opt in or out, or even the knowledge of such social or psychological experiments to its users.</p>
<p style="text-align: justify; ">Both incidents boil down to the sensitive question of consent. While binding agreements around the world work on the condition of consent, how do we define it and what are the implications of agreeing to the terms?</p>
<p style="text-align: justify; "><b>Terms of Service: Conditions are subject to change </b></p>
<p style="text-align: justify; ">A legal necessity, the existing terms of service (TOS)—as they are also known—as an acceptance mechanism are deeply broken. The policies of online service providers are often, too long, and with no shorter or multilingual versions, require substantial effort on part of the user to go through in detail. A 2008 Carnegie Mellon study estimated it would take an average user 244 hours every year to go through the policies they agree to online.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn4">[4]</a> Based on the study, Atlantic's Alexis C. Madrigal derived that reading all of the privacy policies an average Internet user encounters in a year, would take 76 working days.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn5">[5]</a></p>
<p style="text-align: justify; ">The costs of time are multiplied by the fact that terms of services change with technology, making it very hard for a user to keep track of all of the changes over time. Moreover, many services providers do not even commit to the obligation of notifying the users of any changes in the TOS. Microsoft, Skype, Amazon, YouTube are examples of some of the service providers that have not committed to any obligations of notification of changes and often, there are no mechanisms in place to ensure that service providers are keeping users updated.</p>
<p style="text-align: justify; ">Facebook has said that the recent social experiment is perfectly legal under its TOS,<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn6">[6]</a> the question of fairness of the conditions of users consent remain debatable. Facebook has a broad copyright license that goes beyond its operating requirements, such as the right to 'sublicense'. The copyright also does not end when users stop using the service, unless the content has been deleted by everyone else.</p>
<p style="text-align: justify; ">More importantly, since 2007, Facebook has brought major changes to their lengthy TOS about every year.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn7">[7]</a> And while many point that Facebook is transparent, as it solicits feedback preceding changes to their terms, the accountability remains questionable, as the results are not binding unless 30% of the actual users vote. Facebook can and does, track users and shares their data across websites, and has no obligation or mechanism to inform users of the takedown requests.</p>
<p style="text-align: justify; ">Courts in different jurisdictions under different laws may come to different conclusions regarding these practices, especially about whether changing terms without notifying users is acceptable or not. Living in a society more protective of consumer rights is however, no safeguard, as TOS often include a clause of choice of law which allow companies to select jurisdictions whose laws govern the terms.</p>
<p style="text-align: justify; ">The recent experiment bypassed the need for informed user consent due to Facebook's Data Use Policy<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn8">[8]</a>, which states that once an account has been created, user data can be used for 'internal operations, including troubleshooting, data analysis, testing, research and service improvement.' While the users worldwide may be outraged, legally, Facebook acted within its rights as the decision fell within the scope of T&Cs that users consented to. The incident's most positive impact might be in taking the questions of Facebook responsibilities towards protecting users, including informing them of the usage of their data and changes in data privacy terms, to a worldwide audience.</p>
<p style="text-align: justify; "><b>My right is bigger than yours</b></p>
<p style="text-align: justify; ">Most TOS agreements, written by lawyers to protect the interests of the companies add to the complexities of privacy, in an increasingly user-generated digital world. Often, intentionally complicated agreements, conflict with existing data and user rights across jurisdictions and chip away at rights like ownership, privacy and even the ability to sue. With conditions that that allow for change in terms at anytime, existing users do not have ownership or control over their data.</p>
<p style="text-align: justify; ">In April New York Times, reported of updates to the legal policy of General Mills (GM), the multibillion-dollar food company.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn9">[9]</a> The update broadly asserted that consumers interacting with the company in a variety of ways and venues no longer can sue GM, but must instead, submit any complaint to “informal negotiation” or arbitration. Since then, GM has backtracked and clarified that “online communities” mentioned in the policy referred only to those online communities hosted by the company on its own websites.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn10">[10]</a> Clarification aside, as Julia Duncan, Director of Federal programs at American Association for Justice points out, the update in the terms were so broad, that they were open to wide interpretation and anything that consumers purchase from the company could have been held to this clause. <a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn11">[11]</a></p>
<p style="text-align: justify; "><b>Data and whose rights?</b></p>
<p style="text-align: justify; ">Following Snowden revelations, data privacy has become a contentious issue in the EU, and TOS, that allow the service providers to unilaterally alter terms of the contract, will face many challenges in the future. In March Edward Snowden sent his testimony to the European Parliament calling for greater accountability and highlighted that in "a global, interconnected world where, when national laws fail like this, our international laws provide for another level of accountability."<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn12">[12]</a> Following the testimony came the European Parliament's vote in favor of new safeguards on the personal data of EU citizens, when it’s transferred to non-EU.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn13">[13]</a> The new regulations seek to give users more control over their personal data including the right to ask for data from companies that control it and seek to place the burden of proof on the service providers.</p>
<p style="text-align: justify; ">The regulation places responsibility on companies, including third-parties involved in data collection, transfer and storing and greater transparency on concerned requests for information. The amendment reinforces data subject right to seek erasure of data and obliges concerned parties to communicate data rectification. Also, earlier this year, the European Court of Justice (ECJ) ruled in favor of the 'right to be forgotten'<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn14">[14]</a>. The ECJ ruling recognised data subject's rights override the interest of internet users, however, with exceptions pertaining to nature of information, its sensitivity for the data subject's private life and the role of the data subject in public life.</p>
<p style="text-align: justify; ">In May, the Norwegian Consumer Council filed a complaint with the Norwegian Consumer Ombudsman, “… based on the discrepancies between Norwegian Law and the standard terms and conditions applicable to the Apple iCloud service...”, and, “...in breach of the law regarding control of marketing and standard agreements.”<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn15">[15]</a> The council based its complaint on the results of a study, published earlier this year, that found terms were hazy and varied across services including iCloud, Drop Box, Google Drive, Jotta Cloud, and Microsoft OneDrive. The Norwegian Council study found that Google TOS, allow for users content to be used for other purposes than storage, including by partners and that it has rights of usage even after the service is cancelled. None of the providers provide a guarantee that data is safe from loss, while many, have the ability to terminate an account without notice. All of the service providers can change the terms of service but only Google and Microsoft give an advance notice.</p>
<p style="text-align: justify; ">The study also found service providers lacking with respect to European privacy standards, with many allowing for browsing of user content. Tellingly, Google had received a fine in January by the French Data Protection Authority, that stated regarding Google's TOS, "permits itself to combine all the data it collects about its users across all of its services without any legal basis."</p>
<p style="text-align: justify; "><b>To blame or not to blame</b></p>
<p style="text-align: justify; ">Facebook is facing a probe by the UK Information Commissioner's Office, to assess if the experiment conducted in 2012 was a violation of data privacy laws.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn16">[16]</a> The FTC asked the court to order T-Mobile USA, to stop mobile cramming, provide refunds and give up any revenues from the practice. The existing mechanisms of online consent, do not simplify the task of agreeing to multiple documents and services at once, a complexity which manifolds, with the involvement of third parties.</p>
<p style="text-align: justify; ">Unsurprisingly, T-Mobile's Legere termed the FTC lawsuit misdirected and blamed the companies providing the text services for the cramming.<a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftn17">[17]</a> He felt those providers should be held accountable, despite allegations that T-Mobile's billing practices made it difficult for consumers to detect that they were being charged for unauthorized services and having shared revenues with third-party providers. Interestingly, this is the first action against a wireless carrier for cramming and the FTC has a precedent of going after smaller companies that provide the services.</p>
<p style="text-align: justify; ">The FTC charged T-Mobile USA with deceptive billing practices in putting the crammed charges under a total for 'use charges' and 'premium services' and failure to highlight that portion of the charge was towards third-party charges. Further, the company urged customers to take complaints to vendors and was not forthcoming with refunds. For now, T-Mobile may be able to share the blame, the incident brings to question its accountability, especially as going forward it has entered a pact along with other carriers in USA including Verizon and AT&T, agreeing to stop billing customers for third-party services. Even when practices such as cramming are deemed illegal, it does not necessarily mean that harm has been prevented. Often users bear the burden of claiming refunds and litigation comes at a cost while even after being fined companies could have succeeded in profiting from their actions.</p>
<p style="text-align: justify; "><b>Conclusion </b></p>
<p style="text-align: justify; ">Unfair terms and conditions may arise when service providers include terms that are difficult to understand or vague in their scope. TOS that prevent users from taking legal action, negate liability for service providers actions despite the companies actions that may have a direct bearing on users, are also considered unfair. More importantly, any term that is hidden till after signing the contract, or a term giving the provider the right to change the contract to their benefit including wider rights for service provider wide in comparison to users such as a term that that makes it very difficult for users to end a contract create an imbalance. These issues get further complicated when the companies control and profiting from data are doing so with user generated data provided free to the platform.</p>
<p style="text-align: justify; ">In the knowledge economy, web companies play a decisive role as even though they work for profit, the profit is derived out of the knowledge held by individuals and groups. In their function of aggregating human knowledge, they collect and provide opportunities for feedback of the outcomes of individual choices. The significance of consent becomes a critical part of the equation when harnessing individual information. In France, consent is part of the four conditions necessary to be forming a valid contract (article 1108 of the Code Civil).</p>
<p style="text-align: justify; ">The cases highlight the complexities that are inherent in the existing mechanisms of online consent. The question of consent has many underlying layers such as reasonable notice and contractual obligations related to consent such as those explored in the case in Canada, which looked at whether clauses of TOS were communicated reasonably to the user, a topic for another blog. For now, we must remember that by creating and organising social knowledge that further human activity, service providers, serve a powerful function. And as the saying goes, with great power comes great responsibility.</p>
<hr size="1" style="text-align: justify; " width="33%" />
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref1">[1]</a> 'FTC Alleges T-Mobile Crammed Bogus Charges onto Customers’ Phone Bills', published 1 July, 2014. See: http://www.ftc.gov/news-events/press-releases/2014/07/ftc-alleges-t-mobile-crammed-bogus-charges-customers-phone-bills</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref2">[2]</a> 'Experimental evidence of massive-scale emotional contagion through social networks', Adam D. I. Kramera,1, Jamie E. Guilloryb, and Jeffrey T. Hancock, published March 25, 2014. See:http://www.pnas.org/content/111/24/8788.full.pdf+html?sid=2610b655-db67-453d-bcb6-da4efeebf534</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref3">[3]</a> 'U.S. sues T-Mobile USA, alleges bogus charges on phone bills, Reuters published 1st July, 2014 See: http://www.reuters.com/article/2014/07/01/us-tmobile-ftc-idUSKBN0F656E20140701</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref4">[4]</a> 'The Cost of Reading Privacy Policies', Aleecia M. McDonald and Lorrie Faith Cranor, published I/S: A Journal of Law and Policy for the Information Society 2008 Privacy Year in Review issue. See: http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref5">[5]</a> 'Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days', Alexis C. Madrigal, published The Atlantic, March 2012 See: http://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref6">[6]</a> Facebook Legal Terms. See: https://www.facebook.com/legal/terms</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref7">[7]</a> 'Facebook's Eroding Privacy Policy: A Timeline', Kurt Opsahl, Published Electronic Frontier Foundation , April 28, 2010 See:https://www.eff.org/deeplinks/2010/04/facebook-timeline</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref8">[8]</a> Facebook Data Use Policy. See: https://www.facebook.com/about/privacy/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref9">[9]</a> 'When ‘Liking’ a Brand Online Voids the Right to Sue', Stephanie Strom, published in New York Times on April 16, 2014 See: http://www.nytimes.com/2014/04/17/business/when-liking-a-brand-online-voids-the-right-to-sue.html?ref=business</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref10">[10]</a> Explaining our website privacy policy and legal terms, published April 17, 2014 See:http://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/#sthash.B5URM3et.dpufhttp://www.blog.generalmills.com/2014/04/explaining-our-website-privacy-policy-and-legal-terms/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref11">[11]</a> General Mills Amends New Legal Policies, Stephanie Strom, published in New York Times on 1http://www.nytimes.com/2014/04/18/business/general-mills-amends-new-legal-policies.html?_r=0</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref12">[12]</a> Edward Snowden Statement to European Parliament published March 7, 2014. See: http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref13">[13]</a> Progress on EU data protection reform now irreversible following European Parliament vote, published 12 March 201 See: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref14">[14]</a> European Court of Justice rules Internet Search Engine Operator responsible for Processing Personal Data Published by Third Parties, Jyoti Panday, published on CIS blog on May 14, 2014. See: http://cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref15">[15]</a> Complaint regarding Apple iCloud’s terms and conditions , published on 13 May 2014 See:http://www.forbrukerradet.no/_attachment/1175090/binary/29927</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref16">[16]</a> 'Facebook faces UK probe over emotion study' See: http://www.bbc.co.uk/news/technology-28102550</p>
<p style="text-align: justify; "><a href="file:///C:/Users/jyoti/Desktop/Reading%20the%20fine%20script%20When%20terms%20and%20conditions%20apply.docx#_ftnref17">[17]</a> Our Reaction to the FTC Lawsuit See: http://newsroom.t-mobile.com/news/our-reaction-to-the-ftc-lawsuit.htm</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights'>http://editors.cis-india.org/internet-governance/blog/reading-between-the-lines-service-providers-terms-and-conditions-and-consumer-rights</a>
</p>
No publisherjyotiSocial MediaConsumer RightsGoogleinternet and societyPrivacyTransparency and AccountabilityIntermediary LiabilityAccountabilityFacebookData ProtectionPoliciesSafety2014-07-04T06:31:37ZBlog EntryWSIS+10 High Level Event: A Bird's Eye Report
http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report
<b>The WSIS+10 High Level was organised by the ITU and collaborative UN entities on June 9-13, 2014. It aimed to evaluate the progress on implementation of WSIS Outcomes from Geneva 2003 and Tunis 2005, and to envision a post-2015 Development Agenda. Geetha Hariharan attended the event on CIS' behalf.</b>
<p style="text-align: justify; "><span>The World Summit on Information Society (WSIS) +10 </span><a href="http://www.itu.int/wsis/implementation/2014/forum/">High Level Event</a><span> (HLE) was hosted at the ITU Headquarters in Geneva, from June 9-13, 2014. The HLE aimed to review the implementation and progress made on information and communication technology (ICT) across the globe, in light of WSIS outcomes (</span><a href="http://www.itu.int/wsis/index-p1.html">Geneva 2003</a><span> and </span><a href="http://www.itu.int/wsis/index-p2.html">Tunis 2005</a><span>). Organised in three parallel tracks, the HLE sought to take stock of progress in ICTs in the last decade (High Level track), initiate High Level Dialogues to formulate the post-2015 development agenda, as well as host thematic workshops for participants (Forum track).</span><span> </span></p>
<h3 style="text-align: justify; ">The High Level Track:</h3>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/internet-governance/blog/copy2_of_HighLevelTrack.jpg/@@images/be5f993c-3553-4d63-bb66-7cd16f8407dc.jpeg" alt="High Level Track" class="image-inline" title="High Level Track" /></p>
<p style="text-align: justify; "><i>Opening Ceremony, WSIS+10 High Level Event </i>(<a class="external-link" href="https://twitter.com/ITU/status/334587247556960256/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The High Level track opened officially on June 10, 2014, and culminated with the endorsement by acclamation (as is ITU tradition) of two <a href="http://www.itu.int/wsis/implementation/2014/forum/inc/doc/outcome/362828V2E.pdf">Outcome Documents</a>. These were: (1) WSIS+10 Statement on the Implementation of WSIS Outcomes, taking stock of ICT developments since the WSIS summits, (2) WSIS+10 Vision for WSIS Beyond 2015, aiming to develop a vision for the post-2015 global information society. These documents were the result of the WSIS+10 <a href="http://www.itu.int/wsis/review/mpp/">Multi-stakeholder Preparatory Platform</a> (MPP), which involved WSIS stakeholders (governments, private sector, civil society, international organizations and relevant regional organizations).</p>
<p style="text-align: justify; ">The <strong>MPP</strong> met in six phases, convened as an open, inclusive consultation among WSIS stakeholders. It was not without its misadventures. While ITU Secretary General Dr. Hamadoun I. Touré consistently lauded the multi-stakeholder process, and Ambassador Janis Karklins urged all parties, especially governments, to “<i>let the UN General Assembly know that the multi-stakeholder model works for Internet governance at all levels</i>”, participants in the process shared stories of discomfort, disagreement and discord amongst stakeholders on various IG issues, not least human rights on the Internet, surveillance and privacy, and multi-stakeholderism. Richard Hill of the Association for Proper Internet Governance (<a href="http://www.apig.ch/">APIG</a>) and the Just Net Coalition writes that like NETmundial, the MPP was rich in a diversity of views and knowledge exchange, but stakeholders <a href="http://www.ip-watch.org/2014/06/16/what-questions-did-the-wsis10-high-level-event-answer/">failed to reach consensus</a> on crucial issues. Indeed, Prof. Vlamidir Minkin, Chairman of the MPP, expressed his dismay at the lack of consensus over action line C9. A compromise was agreed upon in relation to C9 later.<span> </span></p>
<p style="text-align: justify; ">Some members of civil society expressed their satisfaction with the extensive references to human rights and rights-centred development in the Outcome Documents. While governmental opposition was seen as frustrating, they felt that the <strong><span style="text-decoration: underline;">MPP had sought and achieved a common understanding</span></strong>, a sentiment <a href="https://twitter.com/covertlight/status/476748168051580928">echoed</a> by the ITU Secretary General. Indeed, even Iran, a state that had expressed major reservations during the MPP and felt itself unable to agree with the text, <a href="https://twitter.com/covertlight/status/476748723750711297">agreed</a> that the MPP had worked hard to draft a document beneficial to all.</p>
<p style="text-align: justify; ">Concerns around the MPP did not affect the <strong><span style="text-decoration: underline;">review of ICT developments</span></strong> over the last decade. High Level Panels with Ministers of ICT from states such as Uganda, Bangladesh, Sweden, Nigeria, Saudi Arabia and others, heads of the UN Development Programme, UNCTAD, Food and Agriculture Organisation, UN-WOMEN and others spoke at length of rapid advances in ICTs. The focus was largely on ICT access and affordability in developing states. John E. Davies of Intel repeatedly drew attention to innovative uses of ICTs in Africa and Asia, which have helped bridge divides of affordability, gender, education and capacity-building. Public-private partnerships were the best solution, he said, to affordability and access. At a ceremony evaluating implementation of WSIS action-lines, the Centre for Development of Advanced Computing (C-DAC), India, <a href="https://twitter.com/covertlight/status/476748723750711297">won an award</a> for its e-health application MOTHER.</p>
<p style="text-align: justify; "><span>The Outcome Documents themselves shall be analysed in a separate post. But in sum, the dialogue around Internet governance at the HLE centred around the success of the MPP. Most participants on panels and in the audience felt this was a crucial achievement within the realm of the UN, where the Tunis Summit had delineated strict roles for stakeholders in paragraph 35 of the </span><a href="http://www.itu.int/wsis/docs2/tunis/off/6rev1.html">Tunis Agenda</a><span>. Indeed, there was palpable relief in Conference Room 1 at the </span><a href="http://www.cicg.ch/en/">CICG</a><span>, Geneva, when on June 11, Dr. Touré announced that the Outcome Documents would be adopted without a vote, in keeping with ITU tradition, even if consensus was achieved by compromise.</span></p>
<h3 style="text-align: justify; ">The High Level Dialogues:</h3>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/internet-governance/blog/HighLevelDialogues.jpg/@@images/3c30d94f-7a65-4912-bb42-2ccd3b85a18d.jpeg" alt="High Level Dialogues" class="image-inline" title="High Level Dialogues" /></p>
<p style="text-align: justify; "><i>Prof. Vladimir Minkin delivers a statement.</i> (<a class="external-link" href="https://twitter.com/JaroslawPONDER/status/476288845013843968/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The High Level Dialogues on developing a post-2015 Development Agenda, based on WSIS action lines, were active on June 12. Introducing the Dialogue, Dr. Touré lamented the Millennium Development Goals as a “<i>lost opportunity</i>”, emphasizing the need to alert the UN General Assembly and its committees as to the importance of ICTs for development.</p>
<p style="text-align: justify; ">As on previous panels, there was <strong><span style="text-decoration: underline;">intense focus on access, affordability and reach in developing countries</span></strong>, with Rwanda and Bangladesh expounding upon their successes in implementing ICT innovations domestically. The world is more connected than it was in 2005, and the ITU in 2014 is no longer what it was in 2003, said speakers. But we lack data on ICT deployment across the globe, said Minister Knutssen of Sweden, recalling the gathering to the need to engage all stakeholders in this task. Speakers on multiple panels, including the Rwandan Minister for CIT, Marilyn Cade of ICANN and Petra Lantz of the UNDP, emphasized the need for ‘smart engagement’ and capacity-building for ICT development and deployment.</p>
<p style="text-align: justify; ">A crucial session on cybersecurity saw Dr. Touré envision a global peace treaty accommodating multiple stakeholders. On the panel were Minister Omobola Johnson of Nigeria, Prof. Udo Helmbrecht of the European Union Agency for Network and Information Security (ENISA), Prof. A.A. Wahab of Cybersecurity Malaysia and Simon Muller of Facebook. The focus was primarily on building laws and regulations for secure communication and business, while child protection was equally considered.<span> </span></p>
<p style="text-align: justify; ">The lack of laws/regulations for cybersecurity (child pornography and jurisdictional issues, for instance), or other legal protections (privacy, data protection, freedom of speech) in rapidly connecting developing states was noted. But the <strong><span style="text-decoration: underline;">question of cross-border surveillance and wanton violations of privacy went unaddressed</span></strong> except for the customary, unavoidable mention. This was expected. Debates in Internet governance have, in the past year, been silently and invisibly driven by the Snowden revelations. So too, at WSIS+10 Cybersecurity, speakers emphasized open data, information exchange, data ownership and control (the <a href="http://editors.cis-india.org/internet-governance/blog/ecj-rules-internet-search-engine-operator-responsible-for-processing-personal-data-published-by-third-parties">right to be forgotten</a>), but did not openly address surveillance. Indeed, Simon Muller of Facebook called upon governments to publish their own transparency reports: A laudable suggestion, even accounting for Facebook’s own undetailed and truncated reports.</p>
<p style="text-align: justify; ">In a nutshell, the post-2015 Development Agenda dialogues repeatedly emphasized the importance of ICTs in global connectivity, and their impact on GDP growth and socio-cultural change and progress. The focus was on taking this message to the UN General Assembly, engaging all stakeholders and creating an achievable set of action lines post-2015.</p>
<h3 style="text-align: justify; ">The Forum Track:</h3>
<p><img src="http://editors.cis-india.org/internet-governance/blog/copy_of_ForumTrack.jpg/@@images/dfcce68a-18d7-4f1e-897b-7208bb60abc9.jpeg" alt="Forum Track" class="image-inline" title="Forum Track" /></p>
<p><i>Participants at the UNESCO session on its Comprehensive Study on Internet-related Issues</i> (<a class="external-link" href="https://twitter.com/leakaspar/status/476690921644646400/photo/1">Source</a>)</p>
<p style="text-align: justify; ">The HLE was organized as an extended version of the WSIS Forum, which hosts thematic workshops and networking opportunities, much like any other conference. Running in parallel sessions over 5 days, the WSIS Forum hosted sessions by the ITU, UNESCO, UNDP, ICANN, ISOC, APIG, etc., on issues as diverse as the WSIS Action Lines, the future of Internet governance, the successes and failures of <a href="http://www.internetgovernance.org/2012/12/18/itu-phobia-why-wcit-was-derailed/">WCIT-2012</a>, UNESCO’s <a href="http://www.unesco.org/new/internetstudy">Comprehensive Study on Internet-related Issues</a>, spam and a taxonomy of Internet governance.<span> </span></p>
<p style="text-align: justify; ">Detailed explanation of each session I attended is beyond the scope of this report, so I will limit myself to the interesting issues raised.<span> </span></p>
<p style="text-align: justify; ">At ICANN’s session on its own future (June 9), Ms. Marilyn Cade emphasized the <strong><span style="text-decoration: underline;">importance of national and regional IGFs</span></strong> for both issue-awareness and capacity-building. Mr. Nigel Hickson spoke of engagement at multiple Internet governance fora: “<i>Internet governance is not shaped by individual events</i>”. In light of <a href="http://www.internetgovernance.org/2014/04/16/icann-anything-that-doesnt-give-iana-to-me-is-out-of-scope/">criticism</a> of ICANN’s apparent monopoly over IANA stewardship transition, this has been ICANN’s continual <a href="https://www.icann.org/resources/pages/process-next-steps-2014-06-06-en">response</a> (often repeated at the HLE itself). Also widely discussed was the <strong><span style="text-decoration: underline;">role of stakeholders in Internet governance</span></strong>, given the delineation of roles and responsibilities in the Tunis Agenda, and governments’ preference for policy-monopoly (At WSIS+10, Indian Ambassador Dilip Sinha seemed wistful that multilateralism is a “<i>distant dream</i>”).<span> </span></p>
<p style="text-align: justify; ">This discussion bore greater fruit in a session on Internet governance ‘taxonomy’. The session saw <a href="https://www.icann.org/profiles/george-sadowsky">Mr. George Sadowsky</a>, <a href="http://www.diplomacy.edu/courses/faculty/kurbalija">Dr. Jovan Kurbalija</a>, <a href="http://www.williamdrake.org/">Mr. William Drake</a> and <a href="http://www.itu.int/wsis/implementation/2014/forum/agenda/session_docs/170/ThoughtsOnIG.pdf">Mr. Eliot Lear</a> (there is surprisingly no official profile-page on Mr. Lear) expound on dense structures of Internet governance, involving multiple methods of classification of Internet infrastructure, CIRs, public policy issues, etc. across a spectrum of ‘baskets’ – socio-cultural, economic, legal, technical. Such studies, though each attempting clarity in Internet governance studies, indicate that the closer you get to IG, the more diverse and interconnected the eco-system gets. David Souter’s diagrams almost capture the flux of dynamic debate in this area (please see pages 9 and 22 of <a href="http://www.internetsociety.org/sites/default/files/ISOC%20framework%20for%20IG%20assessments%20-%20D%20Souter%20-%20final_0.pdf">this ISOC study</a>).</p>
<p style="text-align: justify; ">There were, for most part, insightful interventions from session participants. Mr. Sadowsky questioned the effectiveness of the Tunis Agenda delineation of stakeholder-roles, while Mr. Lear pleaded that techies be let to do their jobs without interference. <a href="http://internetdemocracy.in/">Ms. Anja Kovacs</a> raised pertinent concerns about <strong><span style="text-decoration: underline;">including voiceless minorities in a ‘rough consensus’ model</span></strong>. Across sessions, <strong><span style="text-decoration: underline;">questions of mass surveillance, privacy and data ownership rose</span></strong> from participants. The protection of human rights on the Internet – especially freedom of expression and privacy – made continual appearance, across issues like spam (<a href="http://www.itu.int/ITU-D/CDS/sg/rgqlist.asp?lg=1&sp=2010&rgq=D10-RGQ22.1.1&stg=1">Question 22-1/1</a> of ITU-D Study Group 1) and cybersecurity.</p>
<h3 style="text-align: justify; ">Conclusion:</h3>
<p style="text-align: justify; ">The HLE was widely attended by participants across WSIS stakeholder-groups. At the event, a great many relevant questions such as the future of ICTs, inclusions in the post-2015 Development Agenda, the value of muti-stakeholder models, and human rights such as free speech and privacy were raised across the board. Not only were these raised, but cognizance was taken of them by Ministers, members of the ITU and other collaborative UN bodies, private sector entities such as ICANN, technical community such as the ISOC and IETF, as well as (obviously) civil society.<span> </span></p>
<p style="text-align: justify; ">Substantively, the HLE did not address mass surveillance and privacy, nor of expanding roles of WSIS stakeholders and beyond. Processually, the MPP failed to reach consensus on several issues comfortably, and a compromise had to be brokered.</p>
<p style="text-align: justify; "><span>But perhaps a big change at the HLE was the positive attitude to multi-stakeholder models from many quarters, not least the ITU Secretary General Dr. Hamadoun Touré. His repeated calls for acceptance of multi-stakeholderism left many members of civil society surprised and tentatively pleased. Going forward, it will be interesting to track the ITU and the rest of UN’s (and of course, member states’) stances on multi-stakeholderism at the ITU Plenipot, the WSIS+10 Review and the UN General Assembly session, at the least.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report'>http://editors.cis-india.org/internet-governance/blog/wsis-10-high-level-event-a-birds-eye-report</a>
</p>
No publishergeethaWSIS+10PrivacyCybersecurityHuman Rights OnlineSurveillanceFreedom of Speech and ExpressionInternet GovernanceFacebookData ProtectionMulti-stakeholderICANNInternet AccessITUInternet StudiesE-GovernanceICT2014-06-20T15:57:32ZBlog EntryMarco Civil da Internet: Brazil’s ‘Internet Constitution’
http://editors.cis-india.org/internet-governance/blog/marco-civil-da-internet
<b>On March 25, 2014, Brazil's lower house of parliament passed bill no. 2126/2011, popularly known as Marco Civil da Internet. The Marco Civil is a charter of Internet user-rights and service provider responsibilities, committed to freedom of speech and expression, privacy, and accessibility and openness of the Internet. In this post, the author looks at the pros and cons of the bill.</b>
<h3><em><strong>Introduction:</strong></em></h3>
<div style="text-align: justify; ">
<div>
<div style="text-align: justify; ">Ten months ago, Edward Snowden’s revelations of the U.S. National Security Agency’s extensive, warrantless spying dawned on us. Citizens and presidents alike expressed their outrage at this sweeping violation of their privacy. While India’s position remained carefully neutral, or indeed, supportive of NSA’s surveillance, Germany, France and Brazil cut the U.S. no slack. Indeed, at the 68th session of the United Nations General Assembly, Brazilian President Dilma Rousseff (whose office the NSA had placed under surveillance) stated, “<em>Tampering in such a manner in the affairs of other countries is a breach of International Law and is an affront to the principles that must guide the relations among them, especially among friendly nations.</em>” Brazil, she said, would “<em>redouble its efforts to adopt legislation, technologies and mechanisms to protect us from the illegal interception of communications and data.</em>”</div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div>Some may say that Brazil has lived up to its word. Later this month, Brazil will be host to <em>NETmundial</em>, the Global Multi-stakeholder Meeting on the Future of Internet Governance, jointly organized by the Brazilian Internet Steering Committee (CGI.br) and the organization /1Net. The elephantine invisible presence of Snowden vests NETmundial with the hope and responsibility of laying the ground for a truly multi-stakeholder model for governing various aspects of the Internet; a model where governments are an integral part, but not the only decision-makers. The global Internet community, comprising users, corporations, governments, the technical community, and NGOs and think-tanks, is hoping devise a workable method to divest the U.S. Government of its <em>de facto</em> control over the Internet, which it wields through its contracts to manage the domain name system and the root zone.</div>
<div></div>
<div><span> </span></div>
<div>But as Internet governance expert Dr. Jeremy Malcolm put it, these technical aspects do not make or break the Internet. The real questions in Internet governance underpin the rights of users, corporations and netizens worldwide. Sir Tim Berners-Lee, when he <a class="external-link" href="http://www.theguardian.com/technology/2014/mar/12/online-magna-carta-berners-lee-web">called for</a> an Internet Bill of Rights, meant much the same. For Sir Tim, an open, neutral Internet is imperative if we are to keep our governments open, and foster “<em>good democracy, healthcare, connected communities and diversity of culture</em>”. Some countries agree. The Philippines envisaged a <em>Magna Carta</em> for Internet Freedom, though the Bill is pending in the Philippine parliament.</div>
<div></div>
<div><span> </span></div>
<h3><strong><em>Marco Civil da Internet:</em></strong></h3>
<div>Last week, on March 25, 2014, the Brazilian Chamber of Deputies (the lower house of parliament) passed the <em>Marco Civil da Internet</em>, bill 2126/2011, a charter of Internet rights. The <em>Marco Civi</em>l is considered by the global Internet community as a one-of-a-kind bill, with Sir Tim Berners-Lee <a class="external-link" href="http://www.webfoundation.org/2014/03/marco-civil-statement-of-support-from-sir-tim-berners-lee/?utm_source=hootsuite&utm_campaign=hootsuite">hailing</a> the “<em>groundbreaking, inclusive and participatory process has resulted in a policy that balances the rights and responsibilities of the individuals, governments and corporations who use the Internet</em>”.</div>
<div></div>
<div></div>
<div>The <em>Marco Civil</em>’s journey began with a two-stage public consultation process in October 2009, under the aegis of the Brazilian Ministry of Justice’s Department of Legislative Affairs, jointly with the Getulio Vargas Foundation’s Center for Technology and Society of the Law School of Rio de Janeiro (CTS-FGV). The collaborative process <a class="external-link" href="http://observatoriodainternet.br/wp-content/uploads/2012/11/Internet-Policy-Report-Brazil-2011.pdf">involved</a> a 45-day consultation process in which over 800 comments were received, following which a second consultation in May 2010 received over 1200 comments from individuals, civil society organizations and corporations involved in the telecom and technology industries. Based on comments, the initial draft of the bill was revamped to include issues of popular, public importance, such as intermediary liability and online freedom of speech.</div>
<div></div>
<div></div>
<div>An official English translation of the <em>Marco Civil</em> is as yet unavailable. But an <a class="external-link" href="https://docs.google.com/document/d/1kJYQx-l_BVa9-3FZX23Vk9IfibH9x6E9uQfFT4e4V9I/pub">unofficial translation</a> (please note that the file is uploaded on Google Drive), triangulated against <a class="external-link" href="http://infojustice.org/archives/32527">online</a> <a class="external-link" href="http://www.zdnet.com/brazil-passes-groundbreaking-internet-governance-bill-7000027740http://www.zdnet.com/brazil-passes-groundbreaking-internet-governance-bill-7000027740/">commentary</a> on <a class="external-link" href="http://www.zdnet.com/all-you-need-to-know-about-brazils-internet-constitution-7000022726/">the bill</a>, reveals that the following issues were of primary importance:</div>
<div></div>
<div></div>
<h3><strong><em>The fundamentals:</em></strong></h3>
<div>The fundamental principles of the <em>Marco Civil</em> reveal a commitment to openness, accessibility neutrality and democratic collaboration on the Internet. Art. 2 (see unofficial translation) sets out the fundamental principles that form the basis of the law. It pledges to adhere to freedom of speech and expression, along with an acknowledgement of the global scale of the network, its openness and collaborative nature, its plurality and diversity. It aims to foster free enterprise and competition on the Internet, while ensuring consumer protection and upholding human rights, personality development and citizenship exercise in the digital media in line with the network’s social purposes. Not only this, but Art. 4 of the bill pledges to promote universal access to the Internet, as well as “<em>to information, knowledge and participation in cultural life and public affairs</em>”. It aims to promote innovation and open technology standards, while ensuring interoperability.</div>
<div></div>
<div><span> </span></div>
<div>The <em>Marco Civil</em> expands on its commitment to human rights and accessibility by laying down a “<em>discipline of Internet use in Brazil</em>”. Art. 3 of the bill guarantees freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution of Brazil, while at the same time guaranteeing privacy and protection of personal data, and preserving network neutrality. It also focuses on preserving network stability and security, by emphasizing accountability and adopting “<em>technical measures consistent with international standards and by encouraging the implementation of best practices</em>”.</div>
<div></div>
<div></div>
<div>These principles, however, are buttressed by rights assured to Internet users and responsibilities of and exceptions provided to service providers.</div>
<div></div>
<div></div>
</div>
<h3><strong><em>Rights and responsibilities of users and service providers:</em></strong></h3>
<div><strong><span style="text-decoration: underline;">Net neutrality:</span></strong></div>
<div>Brazil becomes one of the few countries in the world (joining the likes of the Netherlands, Chile and Israel in part) to preserve network neutrality by legislation. Art. 9 of the <em>Marco Civil</em> requires all Internet providers to “<em>to treat any data package with isonomy, regardless of content, origin and destination, service, terminal or application</em>”. Not only this, but Internet providers are enjoined from blocking, monitoring or filtering content during any stage of transmission or routing of data. Deep packet inspection is also forbidden. Exceptions may be made to discriminate among network traffic <em>only</em> on the basis of essential technical requirements for services-provision, and for emergency services prioritization. Even this requires the Internet provider to inform users in advance of such traffic discrimination, and to act proportionately, transparently and with equal protection.</div>
<div></div>
<div></div>
<div><strong><span style="text-decoration: underline;">Data retention, privacy and data protection:</span></strong></div>
<div>The <em>Marco Civil</em> includes provisions for the retention of personal data and communications by service providers, and access to the same by law enforcement authorities. However, record, retention and access to Internet connection records and applications access-logs, as well as any personal data and communication, are required to meet the standards for “<em>the conservation of intimacy, private life, honor and image of the parties directly or indirectly involved</em>” (Art. 10). Specifically, access to identifying information and contents of personal communication may be obtained <em>only</em> upon judicial authorization.</div>
<div></div>
<div></div>
<div>Moreover, where data is collected within Brazilian territory, processes of collection, storage, custody and treatment of the abovementioned data are required to comply with Brazilian laws, especially the right to privacy and confidentiality of personal data and private communications and records (Art. 11). Interestingly, this compliance requirement is applicable also to entities incorporated in foreign jurisdictions, which offer services to Brazilians, or where a subsidiary or associate entity of the corporation in question has establishments in Brazil. While this is undoubtedly a laudable protection for Brazilians or service providers located in Brazil, it is possible that conflicts may arise (<a class="external-link" href="http://www.economist.com/news/americas/21599781-brazils-magna-carta-web-net-closes?frsc=dg%7Ca&fsrc=scn/tw_app_ipad">with penal consequences</a>) between standards and terms of data retention and access by authorities in other jurisdictions. In the predictable absence of harmonization of such laws, perhaps rules of conflicts of law may prove helpful.</div>
<div></div>
<div></div>
<div>While data retention remained a point of contention (Brazil initially sought to ensure a 5-year data retention period), under the <em>Marco Civil</em><span>, Internet providers are required to retain connection records for 1 year under rules of strict confidentiality; this responsibility cannot be delegated to third parties (Art. 13). Providers providing the Internet connection (such as Reliance or Airtel in India) are forbidden from retaining records of access to applications on the Internet (Art. 14). While law enforcement authorities may request a longer retention period, a court order (filed for by the authority within 60 days from the date of such request) is required to access the records themselves. In the event the authority fails to file for such court order within the stipulated period, or if court order is denied, the service provider must protect the confidentiality of the connection records.</span></div>
<div><span><br /></span></div>
<div><span> </span></div>
<div>Though initially excluded from the <em>Marco Civil</em>, the current draft passed by the Chamber of Deputies requires Internet application providers (such as Google or Facebook) to retain access-logs for their applications for 6 months (Art. 15). Logs for other applications may not be retained without previous consent of the owner, and in any case, the provider cannot retain personal data that is in excess of the purpose for which consent was given by the owner. As for connection records, law enforcement authorities may request a greater retention period, but require a court order to access the data itself.</div>
<div></div>
<div></div>
<div>These requirements must be understood in light of the rights that the <em>Marco Civil</em> guarantees to users. Art. 7, which enumerates these user-rights, does not however set forth their <em>content</em>; this is probably left to judicial interpretation of rights enshrined in the Federal Constitution. In any event, Art. 7 guarantees to all Internet users the “<em>inviolability of intimacy and privacy</em>”, including the confidentiality of all Internet communications, along with “<em>compensation for material or moral damages resulting from violation</em>”. In this regard, it assures that users are entitled to a guarantee that no personal data or communication shall be shared with third parties in the absence of express consent, and to “<em>clear and complete information on the collection, use, storage, treatment and protection of their personal data</em>”. Indeed, where contracts violate the requirements of inviolability and secrecy of private communications, or where a dispute resolution clause does not permit the user to approach Brazilian courts as an alternative, Art. 8 renders such contracts null and void.</div>
<div></div>
<div></div>
<div>Most importantly, Art. 7 states that users are entitled to clear and complete information about how connection records and access logs shall be stored and protected, and to publicity of terms/policies of use of service providers. Additionally, Art. 7 emphasizes quality of service and accessibility to the Internet, and forbids suspension of Internet connections except for failure of payments. Read comprehensively, therefore, Arts. 7-15 of the <em>Marco Civil prima facie</em> set down robust protections for private and personal data and communications.</div>
<div></div>
<div></div>
<div>An initial draft of the <em>Marco Civil</em> <a class="external-link" href="http://www.zdnet.com/companies-brace-for-brazil-local-data-storage-requirements-7000027092/">sought to mandate</a> local storage of all Brazilians’ data within Brazilian territory. This came in response to Snowden’s revelations of NSA surveillance, and President Rousseff, in her <a class="external-link" href="http://gadebate.un.org/sites/default/files/gastatements/68/BR_en.pdf">statement</a> to the United Nations, declared that Brazil sought to protect itself from “<em>illegal interception of communications and data</em>”. However, the implications of this local storage requirement was the creation of a <a class="external-link" href="http://bigstory.ap.org/article/brazil-looks-break-us-centric-internet">geographically isolated</a> Brazilian Internet, with repercussions for the Internet’s openness and interoperability that the <em>Marco Civil</em> itself sought to protect. Moreover, there are <a class="external-link" href="http://www.gp-digital.org/gpd-update/data-retention-provisions-in-the-marco-civil/">implications</a> for efficiency and business; for instance, small businesses may be unable to source the money or capacity to comply with local storage requirements. Also, they lead to mandating storage on political grounds, and not on the basis of effective storage. Amid widespread protest from corporations and civil society, this requirement was then <a class="external-link" href="http://www.zdnet.com/brazil-gives-up-on-local-data-storage-demands-net-neutrality-7000027493/">withdrawn</a> which, some say, propelled the quick passage of the bill in the Chamber of Deputies.</div>
<div></div>
<div></div>
</div>
<div style="text-align: justify; ">
<div><strong><span style="text-decoration: underline;">Intermediary liability:</span></strong></div>
<div>Laws of many countries make service providers liable for third party content that infringes copyright or that is otherwise against the law (such as pornography or other offensive content). For instance, Section 79 of the Indian Information Technology Act, 2000 (as amended in 2008) is such a provision where intermediaries (i.e., those who host user-generated content, but do not create the content themselves) may be held liable. However, stringent intermediary liability regimes create the possibility of private censorship, where intermediaries resort to blocking or filtering user-generated content that they fear may violate laws, sometimes even without intimating the creator of the infringing content. The <em>Marco Civil</em> addresses this possibility of censorship by creating a restricted intermediary liability provision. Please note, however, that the bill expressly excludes from its ambit copyright violations, which a <a class="external-link" href="http://infojustice.org/archives/31993">copyright reforms bill</a> seeks to address.</div>
<div></div>
<div></div>
<div>At first instance, the <em>Marco Civil</em> exempts service providers from civil liability for third party content (Art. 18). Moreover, intermediaries are liable for damages arising out of third party content <em>only</em> where such intermediaries do not comply with court orders (which may require removal of content, etc.) (Art. 19). This leaves questions of infringement and censorship to the judiciary, which the author believes is the right forum to adjudicate such issues. Moreover, wherever identifying information is available, Art. 20 mandates the intermediary to appraise the creator of infringing content of the reasons for removal of his/her content, with information that enables the creator to defend him- or herself in court. This measure of transparency is particularly laudable; for instance, in India, no such intimation is required by law, and you or I as journalists, bloggers or other creators of content may never know why our content is taken down, or be equipped to defend ourselves in court against the plaintiff or petitioner who sought removal of our content. Finally, a due diligence requirement is placed on the intermediary in circumstances where third party content discloses, “<em>without consent of its participants, of photos, videos or other materials containing nudity or sexual acts of private character</em>”. As per Art. 21, where the intermediary does not take down such content upon being intimated by the concerned participant, it may be held secondarily liable for infringement of privacy.</div>
<div></div>
<div></div>
<div>This restricted intermediary liability regime is further strengthened by a requirement of specific identification of infringing content, which both the court order issued under Art. 20 and the take-down request under Art. 21 must fulfill. This requirement is missing, for instance, under Section 79 of the Indian Information Technology Act, which creates a diligence and liability regime without requiring idenfiability of infringing content.</div>
<div></div>
<div></div>
<h3><strong><em>Conclusion:</em></strong></h3>
<div>Brazil’s ‘Internet Constitution’ has done much to add to the ongoing discussion on the rights and responsibilities of users and providers. By expressly adopting protections for net neutrality and online privacy and freedom of expression, the Marco Civil may be considered to set itself up as a model for Internet rights at the municipal level, barring a Utopian bill of rights. Indeed, in an effusive statement of support for the bill, Sir Tim Berners-Lee stated: “<em>If Marco Civil is passed, without further delay or amendment, this would be the best possible birthday gift for Brazilian and global Web users.</em>”</div>
<div></div>
<div></div>
<div>Of course, the <em>Marco Civil</em> is not without its failings. Authors <a class="external-link" href="http://infojustice.org/archives/32527">say</a> that the data retention requirements by connection and application providers, with leeway provided for law enforcement authorities to lengthen retention periods, is problematic. Moreover, the discussions surrounding data localization and a ‘walled-off’ Internet that protects against surveillance ignores the interoperability and openness that forms the core of the Internet.</div>
<div></div>
<div></div>
<div>On the whole, though, the <em>Marco Civil</em> may be considered a victory, on many counts. It is possibly the first successful example of a national legislation that is the outcome of a broad, consultative process with civil society and other affected entities. It expressly affirms Brazil’s commitment to the protection of privacy and freedom of expression, as well as to Internet accessibility and the openness of the network. It aims to eliminate the possibility of private censorship online, while upholding privacy rights of users. It seeks to reduce the potential for abuse of personal data and communication by government authorities, by requiring judicial authorization for the same. In a world where warrantless government spying extends across national border, such a provision is novel and desirable. One hopes that, when the global Internet community sits down at its various fora to identify and enumerate principles for Internet governance, it will look to the <em>Marco Civil</em> as an example of standards that governments may adhere to, and not necessarily resort to the lowest common denominator standards of international rights and protections.</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/marco-civil-da-internet'>http://editors.cis-india.org/internet-governance/blog/marco-civil-da-internet</a>
</p>
No publishergeethaPrivacyFreedom of Speech and ExpressionData ProtectionNet NeutralityInternet Governance2014-06-19T10:38:10ZBlog EntryElectoral Databases – Privacy and Security Concerns
http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryThe 2010 Special 301 Report Is More of the Same, Slightly Less Shrill
http://editors.cis-india.org/a2k/blogs/2010-special-301
<b>Pranesh Prakash examines the numerous flaws in the Special 301 from the Indian perspective, to come to the conclusion that the Indian government should openly refuse to acknowledge such a flawed report. He notes that the Consumers International survey, to which CIS contributed the India report, serves as an effective counter to the Special 301 report.</b>
<h1>Special 301 Report: Unbalanced Hypocrisy</h1>
<p>The United States Trade Representative has put yet another edition of the Special 301 report which details the copyright law and policy wrongdoings of the US's trading partners. Jeremy Malcolm of Consumers International notes that the report this year claims to be "well-balanced assessment of intellectual property protection and enforcement ... taking into account diverse factors", but:</p>
<blockquote>
<p>[I]n fact, the report largely continues to be very one-sided. As in previous editions, it lambasts developing countries for failing to meet unrealistically stringent standards of IP protection that exceed their obligations under international law.</p>
</blockquote>
<p>More the report changes, <a href="http://cis-india.org/advocacy/ipr/blog/consumers-international-ip-watch-list-2009">the more it stays the same</a>. <a href="http://www.michaelgeist.ca/content/view/4684/195/">Despite having wider consultations</a> than just the International Intellectual Property Alliance (IIPA, consisting of US-based IP-maximalist lobbyists like the Motion Picture Association of America, Recording Industry Association of America, National Music Publishers Association, Association of American Publishers, and Business Software Alliance) and the Pharmaceutical Research and Manufacturers of America (PhRMA, consisting of US-based pharma multinationals), things haven't really changed much in terms of the shoddiness of the Special 301 report.</p>
<h1>India and the 2010 Special 301 Report</h1>
<p>The Special 301 report for 2010 contains the following assessment of India:</p>
<blockquote>
<p>India will remain on the Priority Watch List in 2010. India continues to make gradual progress on efforts to improve its legislative, administrative, and enforcement infrastructure for IPR. India has made incremental improvements on enforcement, and its IP offices continued to pursue promising modernization efforts. Among other steps, the United States is encouraged by the Indian government’s consideration of possible trademark law amendments that would facilitate India’s accession to the Madrid Protocol. The United States encourages the continuation of efforts to reduce patent application backlogs and streamline patent opposition proceedings. Some industries report improved engagement and commitment from enforcement officials on key enforcement challenges such as optical disc and book piracy. However, concerns remain over India’s inadequate legal framework and ineffective enforcement. Piracy and counterfeiting, including the counterfeiting of medicines, remains widespread and India’s enforcement regime remains ineffective at addressing this problem. Amendments are needed to bring India’s copyright law in line with international standards, including by implementing the provisions of the WIPO Internet Treaties. Additionally, a law designed to address the unauthorized manufacture and distribution of optical discs remains in draft form and should be enacted in the near term. The United States continues to urge India to improve its IPR regime by providing stronger protection for patents. One concern in this regard is a provision in India’s Patent Law that prohibits patents on certain chemical forms absent a showing of increased efficacy. While the full import of this provision remains unclear, it appears to limit the patentability of potentially beneficial innovations, such as temperature-stable forms of a drug or new means of drug delivery. The United States also encourages India to provide protection against unfair commercial use, as well as unauthorized disclosure, of undisclosed test or other data generated to obtain marketing approval for pharmaceutical and agricultural chemical products. The United States encourages India to improve its criminal enforcement regime by providing for expeditious judicial disposition of IPR infringement cases as well as deterrent sentences, and to change the perception that IPR offenses are low priority crimes. The United States urges India to strengthen its IPR regime and will continue to work with India on these issues in the coming year. </p>
</blockquote>
<p>This short dismissal of the Indian IPR regime, and subsequent classification of India as a "Priority Watch List" country reveals the great many problems with the Special 301.</p>
<h2>On Copyrights</h2>
<ol>
<li>
<p>The report notes that there are "concerns over India's inadequate legal framework and ineffective enforcement". However, nowhere does it bother to point out precisely <em>how</em> India's legal framework is inadequate, and how this is negatively affecting authors and creators, consumers, or even the industry groups (MPAA, RIAA, BSA, etc.) that give input to the USTR via the IPAA. Nor does it acknowledge the well-publicised fact that the statistics put out by these bodies have time and again <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">proven to be wrong</a>:</p>
</li>
<li>
<p>Apart from this bald allegation which has not backing, there is a bald statement about India needing to bring its copyright law "in line with international standards" including "the WIPO Internet Treaties". The WIPO Internet Treaties given that more than half the countries of the world are not signatories to either of the WIPO Internet Treaties (namely the WIPO Copyright Treaty and the WIPO Performance and Phonograms Treaty), calling them 'international standards' is suspect. That apart, both those treaties are TRIPS-plus treaties (requiring protections greater than the already-high standards of the TRIPS Agreement). India has not signed either of them. It should not be obligated to do so. Indeed, Ruth Okediji, a noted copyright scholar, <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1433848">states</a>:</p>
</li>
</ol>
<blockquote>
<p>Consistent with their predecessors, the WIPO Internet Treaties marginalize collaborative forms of creative engagement with which citizens in the global South have long identified and continue in the tradition of assuming that copyright’s most enduring cannons are culturally neutral. [...] The Treaties do not provide a meaningful basis for a harmonized approach to encourage new creative forms in much the same way the Berne Convention fell short of embracing diversity in patterns and modes of authorial expression.</p>
</blockquote>
<ol>
<li>
<p>Some of the of the 'problems' noted in the report are actually seen as being beneficial by many researchers and scholars such as Lawrence Liang, Achal Prabhala, Perihan Abou Zeid <a href="https://sites.google.com/site/iipenforcement/bibliography">and others</a>, who argue that <a href="http://www.altlawforum.org/intellectual-property/publications/articles-on-the-social-life-of-media-piracy/reconsidering-the-pirate-nation">lax enforcement has enabled access to knowledge and promotion of innovation</a>. In a panel on 'Access to Knowledge' at the Internet Governance Forum, <a href="http://a2knetwork.org/access-knowledge-internet-governance-forum">Lea Shaver, Jeremy Malcolm and others</a> who have been involved in that Access to Knowledge movement noted that lack of strict enforcement played a positive role in many developing countries. However, they also noted, with a fair bit of trepidation, that this was sought to be changed at the international level through treaties such as the Anti-Counterfeiting Treaty Agreement (ACTA).</p>
</li>
<li>
<p>The scope of an optical disc law are quite different from copyright law. The report condemns "unauthorized manufacture and distribution of optical discs", however it does not make it clear that what it is talking about is not just unlicensed copying of films (which is already prohibited under the Copyright Act) but the manufacture and distribution of blank CDs and DVDs as well. The need for such a law is assumed, but never demonstrated. It is onerous for CD and DVD manufacturers (such as the Indian company Moserbaer), and is an overbearing means of attacking piracy.</p>
</li>
<li>
<p>The report calls for "improve[ment] [of India's] criminal enforcement regime" and for "deterrent" sentences and expeditious judicial disposition of IPR infringement cases. While we agree with the last suggestion, the first two are most unacceptable. Increased criminal enforcement of a what is essentially a private monopoly right is undesirable. Copyright infringment on non-commercial scales should not be criminal offences at all. What would deter people from infringing copyright laws are not "deterrent sentences" but more convenient and affordable access to the copyright work being infringed.</p>
</li>
</ol>
<h2>On Patents</h2>
<p>Thankfully, this year the Special 301 report does not criticise the Indian Patent Act for providing for post-grant opposition to patent filings, as it has in previous years. However, it still criticises section 3(d) of the Patent Act which ensures that 'evergreening' of drug patents is not allowed by requiring for new forms of known substances to be patented only if "the enhancement of the known efficacy of [the known] substance" is shown. Thus, the US wishes India to change its domestic law to enable large pharma companies to patent new forms of known substances that aren't even better ("enhancement of the known efficacy"). For instance, "new means of drug delivery" will not, contrary to the assertions of the Special 301 report and the worries of PhRMA, be deemed unpatentable.</p>
<p>The United States has been going through much turmoil over its patent system. Reform of the patent system is currently underway in the US through administrative means, judicial means, as well as legislative means. One of the main reasons for this crumbling of the patent system has been the low bar for patentability (most notably the 'obviousness' test) in the United States and the subsequent over-patenting. An <a href="http://supreme.justia.com/us/447/303/case.html">American judgment</a> even noted that "anything under the sun that is made by man" is patentable subject matter. It is well-nigh impossible to take American concerns regarding our high patent standards seriously, given this context.</p>
<h2>Miscellanea</h2>
<p>The harms of counterfeit medicine, as <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">we have noted earlier</a>, are separate issues that are best dealt under health safety regulations and consumer laws, rather than trademark law.</p>
<p>Data exclusivity has been noted to be harmful to the progress of generics, and seeks to extend proprietary rights over government-mandated test data. It is [clear from the TRIPS Agreement][de-trips] that data exclusivity is not mandatory. There are clear rationale against it, and the Indian pharmaceutical industry [is dead-set against it][de-india]. Still, the United States Trade Representative persists in acting as a corporate shill, calling on countries such as India to implement such detrimental laws.</p>
<h2>Conclusion</h2>
<p>Michael Geist, professor at University of Ottowa <a href="http://www.michaelgeist.ca/content/view/4997/125">astutely notes</a>:</p>
<blockquote>
<p>Looking beyond just Canada, the list [of countries condemned by the Special 301 report] is so large, that it is rendered meaningless. According to the report, approximately 4.3 billion people live in countries without effective intellectual property protection. Since the report does not include any African countries outside of North Africa, the U.S. is effectively saying that only a small percentage of the world meet its standard for IP protection. Canada is not outlier, it's in good company with the fastest growing economies in the world (the BRIC countries are there) and European countries like Norway, Italy, and Spain.
In other words, the embarrassment is not Canadian law. Rather, the embarrassment falls on the U.S. for promoting this bullying exercise and on the Canadian copyright lobby groups who seemingly welcome the chance to criticize their own country. </p>
</blockquote>
<p>His comments apply equally well for India as well.</p>
<h1>IIPA's Recommendation for the Special 301 Report</h1>
<p>Thankfully, this year <a href="http://www.iipa.com/rbc/2010/2010SPEC301INDIA.pdf">IIPA's recommendations</a> have not been directly copied into the Special 301 report. (They couldn't be incorporated, as seen below.) For instance, the IIPA report notes:</p>
<blockquote>
<p>The industry is also concerned about moves by the government to consider mandating the use of open source software and software of only domestic origin. Though such policies have not yet been implemented, IIPA and BSA urge that this area be carefully monitored.</p>
</blockquote>
<p>Breaking that into two bit:</p>
<h2>Open Source</h2>
<p>Firstly, it is curious to see industry object to legal non-pirated software. Secondly, many of BSA's members (if not most) use open source software, and a great many of them also produce open source software. <a href="http://hp.sourceforge.net/">HP</a> and <a href="http://www-03.ibm.com/linux/ossstds/">IBM</a> have been huge supporters of open source software. Even <a href="http://www.microsoft.com/opensource/">Microsoft has an open source software division</a>. [Intel][intel], <a href="http://www.sap.com/usa/about/newsroom/press.epx?pressid=11410">SAP</a>, <a href="http://www.cisco.com/web/about/doing_business/open_source/index.html">Cisco</a>, <a href="http://linux.dell.com/projects.shtml">Dell</a>, <a href="http://www.sybase.com/developer/opensource">Sybase</a>, <a href="http://www.entrust.com/news/index.php?s=43&item=702">Entrust</a>, <a href="http://about.intuit.com/about_intuit/press_room/press_release/articles/2009/IntuitPartnerPlatformAddsOpenSourceCommunity.html">Intuit</a>, <a href="http://www.synopsys.com/community/interoperability/pages/libertylibmodel.aspx">Synopsys</a>, <a href="http://www.apple.com/opensource/">Apple</a>, <a href="http://www.theregister.co.uk/2005/04/22/jbuilder_eclipse/">Borland</a>, <a href="http://w2.cadence.com/webforms/squeak/">Cadence</a>, <a href="http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=6153839">Autodesk</a>, and <a href="http://news.cnet.com/8301-13505_3-9967593-16.html">Siemens</a> are all members of BSA which support open source software / produce at least some open source software. And <em>all</em> BSA members rely on open source software (as part of their core products, their web-server, their content management system, etc.) to a lesser or greater extent. BSA's left hand doesn't seem to know what its right hand -- its members -- are doing. Indeed, the IIPA does not seem to realise that the United States' government itself uses [open source software], and has been urged to <a href="http://news.bbc.co.uk/2/hi/7841486.stm">look at FOSS very seriously</a> and is doing so, especially under CIO Vivek Kundra. And that may well be the reason why the USTR could not include this cautionary message in the Special 301 report.</p>
<h2>Domestic Software</h2>
<p>As <a href="http://arstechnica.com/tech-policy/news/2010/04/indias-copyright-proposals-are-un-american-and-thats-bad.ars">this insightful article by Nate Anderson in Ars Technica</a> notes:</p>
<blockquote>
<p>Open source is bad enough, but a "buy Indian" law? That would be <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/buyamerica.aspx?lang=eng">an outrage</a> and surely something the US government would not itself engage in <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/ARRA.aspx?lang=eng">as recently as last year</a>. Err, right?</p>
</blockquote>
<p>Furthermore, the IIPA submission do not provide any reference for their claim that "domestic origin" software is being thought of being made a mandatory requirement in governmental software procurement.<br />
</p>
<h2>WCT, WPPT, Camcording, and Statutory Damages</h2>
<p>The IIPA submission also wish that India would:</p>
<ol>
<li>Adopt a system of statutory damages in civil cases; allow compensation to be awarded in criminal cases;</li>
<li>Adopt an optical disc law;</li>
<li>Enact Copyright Law amendments consistent with the WCT and WPPT;</li>
<li>Adopt an anti-camcording criminal provision.</li>
</ol>
<p>Quick counters:</p>
<ol>
<li>Statutory damages (that is, an amount based on statute rather than actual loss) would result in ridiculousness such as the $1.92 million damages that the jury (based on the statutory damages) slapped on Jammie Thomas. The judge in that case <a href="http://arstechnica.com/tech-policy/news/2010/01/judge-slashes-monstrous-jammie-thomas-p2p-award-by-35x.ars">called the damage award</a> "monstrous and shocking" and said that veered into "the realm of gross injustice."</li>
<li>The reasons against an optical disc law are given above. Quick recap: it is a) unnecessary and b) harmful.</li>
<li>India has not signed the WCT and the WPPT. Indian law satisfies all our international obligations. Thus enacting amendments consistent with the WCT and the WPPT is not required.</li>
<li>Camcording of a film is in any case a violation of the Copyright Act, 1957, and one would be hard-pressed to find a single theatre that allows for / does not prohibit camcorders. Given this, the reason for an additional law is, quite frankly, puzzling. At any rate, IIPA in its submission does not go into such nuances.</li>
</ol>
<h2>Further conclusions</h2>
<p><a href="http://spicyipindia.blogspot.com/2010/05/us-special-301-report-and-not-so.html">Shamnad Basheer</a>, an IP professor at NUJS, offer the following as a response:</p>
<blockquote>
<p>"Dear USA,</p>
<p>India encourages you to mind your own business. We respect your sovereignty to frame IP laws according to your national priorities and suggest that you show us the same courtesy. If your grouse is that we haven't complied with TRIPS, please feel free to take us to the WTO dispute panel. Our guess is that panel members familiar with the English language will ultimately inform you that section 3(d) is perfectly compatible with TRIPS. And that Article 39.3 does not mandate pharmaceutical data exclusivity, as you suggest!
More importantly, at that point, we might even think of hauling you up before the very same body for rampant violations, including your refusal to grant TRIPS mandated copyright protection to our record companies, despite a WTO ruling (Irish music case) against you.</p>
<p>Yours sincerely,</p>
<p>India."</p>
</blockquote>
<p>Basheer's suggestion seems to be in line with that Michael Geist who believes that other countries should join Canada and Israel in openly refusing to acknowledge the validity of the Special 301 Reports because they lack ['reliable and objective analysis'][geist-reliable]. And that thought serves as a good coda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/a2k/blogs/2010-special-301'>http://editors.cis-india.org/a2k/blogs/2010-special-301</a>
</p>
No publisherpraneshDevelopmentConsumer RightsAccess to KnowledgeCopyrightPiracyAccess to MedicineIntellectual Property RightsData ProtectionFLOSSTechnological Protection MeasuresPublications2011-10-03T05:37:27ZBlog EntryDoes the Safe-Harbor Program Adequately Address Third Parties Online?
http://editors.cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online
<b>While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. </b>
<p>To date, the EU-US Safe Harbor Program leads in governing
the complex and multi-directional flows of personal information online. As commerce began to thrive in the online
context, the European Union was faced with the challenge of ensuring that personal
information exchanged through online services were granted
levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal
and sectoral approach to privacy legislation in the United states was deemed incompatible
with the EU approach. While the Safe
Harbor program did not aim to protect the privacy of citizens outside of the
European Union per say, the program has in practice set minimum standards for
online data privacy due to the international success of American online
services.</p>
<p>While many citizens outside of the US and EU benefit from
the Safe Harbor Program, it remains unclear how successful the program will be in an
online ecosystem where third-parties are being granted increasingly more rights
over the data they receive from first parties.
Using Facebook as a site of analysis, I will attempt to shed light on
the deficiencies of the framework for addressing the complexity of data flows
in the online ecosystem. First, I will argue
that the safe harbor program does not do enough to ensure that participants are
held reasonably responsible third party privacy practices. Second, I will argue that the information
asymmetries created between first party sites, citizens, and governance bodies
vis-à-vis third parties obscures the application of the Safe Harbor Model.</p>
<p><strong>The EU-US
Safe-Harbor Agreement</strong></p>
<p>In 1995, and based on earlier <a href="http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html">OECD
guidelines</a>, the EU Data Directive on the “protection of individuals with
regard to the processing of personal data and the free movement of such data”
was passed<a name="_ednref1" href="#_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [1]. The original purpose of the EU Privacy
Directive was not only to increase privacy protection within the European
Union, but to also promote trade liberalization and a single integrated market
in the EU. After the Data Directive was
passed, each member state of the EU incorporated the principles of
the directive into national laws accordingly. </p>
<p>While the Directive was successful in harmonizing data
privacy in the European Union, it also embodied extraterritorial
provisions, giving in reach<a name="_ednref2" href="#_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> beyond the EU. Article 25 of the Directive states that the
EU commission may ban data transfers to third countries that do not ensure “an
adequate level of protect’ of data privacy rights<a name="_ednref3" href="#_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [2]. Also, Article 26 of the Directive, expanding
on Article 25, states that personal data cannot be <em>transferred </em>to a country that “does not ensure an adequate level of
protection” if the data controller does not enter into a contract that adduces
adequate privacy safeguards<a name="_ednref4" href="#_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [3].
</p>
<p>In light of the increased occurrence of cross-border
information flows, the Data Directive itself was not effective enough to ensure that
privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the
EU Council and the US Department of Commerce as a way of mending the variant
levels of privacy protection set out in these jurisdictions, while also promoting
online commerce. </p>
<p><strong>Social Networking
Sites and the Safe-Harbor Principles</strong></p>
<p>The case of social networking sites exemplifies the ease
with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites
are registered American entities, they continue to attract users not only from
the EU, but also internationally. In agreement
to the EU law, many social networking sites, including LinkedIn, Facebook,
Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes
place in the United States in accordance with U.S. law and relies, to a great
degree, on enforcement by the private sector.
TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program
among social networking sites. </p>
<p>Drawing broadly on the principles embodied within the EU
Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor
were developed. These principles include
Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity
and Enforcement. The principle of “Notice”
sets out that organizations must inform individuals about the purposes for
which it collects and uses information about them, how to contact the
organization with any inquiries or complaints, the types of third parties to
which it disclosures the information, and the choices and means the organization
offers individuals for limiting its use and disclosure. </p>
<p>“Choice” ensures that individuals have the opportunity to
choose to opt out whether their personal information is disclosed to a third
party, and to ensure that information is not used for purposes incompatible with the purposes for
which it was originally collected. The
“Onward Transfer” principle ensures that third parties receiving information
subscribes to the Safe Harbor principles, is subject to the Directive, or
enters into a written agreement which requires that the third party provide at
least the same level of privacy protection as is requires by the relevant
principles.</p>
<p>The principles of “Security” and “Data Integrity” seek to
ensure that reasonable precautions are taken to protect the loss or misuse of
data, and that information is not used in a manner which is incompatible with
the purposes for it is has been collected—minimizing the risk that personal
information would be misused or abused.
Individuals are also granted the right, through the access principle, to
view the personal information about them that an organization holds, and to
ensure that it is up-to-date and accurate.
The “Enforcement” principle works to ensure that an effective mechanism
for assuring compliance with the principles, and that there are consequences
for the organization when the principles are not followed.</p>
<p>The principles of the program are rather quite clear and
enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social
networking services have become increasingly clear and straightforward since
their inception. Facebook, for example,
has revamped its <a href="http://www.facebook.com/privacy/explanation.php">privacy
regime</a> several times, and gives explicit notice to users how their
information is being used. The privacy
policy also explains the relationship between third parties and your personal information—including
how it may be used by advertisers, search engines, and fellow members. </p>
<p>With respect to third party advertisers, principles of
“choice” are clearly granted by most social networking services. For example, the <a href="http://www.networkadvertising.org/">Network Advertising Initiative</a>, a
self-regulatory initiative of the online advertising industry, clearly lists
its member websites and allows individuals to opt out of any targeted
advertising conducted by its members. In
Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s
opt out features is given, allowing individuals to make somewhat informed
choices about their participation in such programs. This point is, of course, in light of the
fact that most users do not read or understand the privacy policies provided by
social networking sites<a name="_ednref5" href="#_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [4].
It is also important to note that Google—a major player in the online
advertising business, does not grant users of Buzz and Orkut the same “opt-out”
options as sites such as Facebook and Bebo.</p>
<p>Under the auspices of the US Federal Trade Commission, the
Safe Harbor Program has also successfully investigated and settled several
privacy-related breaches which have taken place on social networking sites. Of the most famous cases is <a href="http://www.beaconclasssettlement.com/">Lane et al. v. Facebook et al.</a>,
which was a class action suit brought against Facebook’s Beacon Advertising
program. The US Federal Trade Commission
was quick to insight an investigation of the program after many privacy groups
and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow
Facebook users to share information with their friends about actions taken on
affiliated, third party sites. This had included,
for example, the movie rentals a user had made through the Blockbuster website. </p>
<p>The Plaintiffs filed a suit, alleging that Facebook and its
affiliates did not give users adequate notice and choice about Beacon and the
collection and use of users’ personal information. The Beacon program was ultimately found to
be in breach of US law, including the <a href="http://epic.org/privacy/vppa/">Video
Privacy Protection Act</a>, which bans the disclosure of personally identifiable
rental information. Facebook has
announced the settlement of the lawsuit, not bringing individual settlements,
but a marked end to the program and the development of a 9.5 million dollar <a href="http://www.p2pnet.net/story/37119">Facebook Privacy Fund</a> dedicated to
privacy and data-related issues. Other privacy
related investigations of social networking sites launched by the FTC under the
Safe Harbor Program include Facebook’s <a href="http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-bad-and-ugly">privacy
changes</a> in late 2009, and the Google’s recently released <a href="http://www.networkworld.com/news/2010/032910-lawmakers-ask-for-ftc-investigation.html">Buzz
application</a>.</p>
<p>Despite the headway the Safe Harbor is making, many privacy
related questions remain ambiguous with respect to the responsibilities social networking
sites through the program. For example,
Bebo <a href="http://www.bebo.com/Privacy2.jsp">reserves the right</a> to
supplement a social profile with addition information collected from publicly
available information and information from other companies. Bebo’s does adhere to the “notice principle”—as
it makes know to users how their information will be used through their privacy
policy. However, it remains unclear if appropriate disclosures are given by Bebo
as required by Safe Harbor Framework, notably as the sources of “publicly
available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users
are able to, under the “Choice” principle, refuse to having their profiles from
being supplemented by other information sources. Also, under the “access
principle”, do individuals have the right to review all information held about them as “Bebo
users”? The right to review information
held by a social networking site is an important one that should be upheld. This is most notable as supplementary information
from outside social networking services is employed to profile individual users in ways which may
work to categorize individuals in undesirable ways.</p>
<p><strong>The Third Party Problem</strong></p>
<p>Cooperation between social networking sites and the Safe
Harbor has improved, and most of these sites now have privacy policies which
explicitly address the principles of the Program. It should also be noted that public interest
groups, such as Epic, the Center for Digital Democracy, and The Electronic
Frontier Foundation, have played a key role in ensuring that data privacy
breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately
addressed the privacy practices of first party participants, the number of
third parties on social networking sites calls into question the
comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere
to the Safe Harbor Program. However, its
growing number third party platform members may not always adhere to best practices
in the field, nor can Facebook or the Safe Harbor Program guarantee that they
do so.</p>
<p>The Safe Harbor Program does require that all participants
take certain security measures when transferring data to a third party. Third parties must either subscribe to the
safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also
enter into a written agreement with a third party requiring that they provide
at least the same level of privacy protection as is required by program
principles. Therefore, third parties of
participating program sites are, de facto, bound by the safe harbor principles by
the way of entering into agreement with a first party participant of the
program. This is the approach taken by
most social networking sites and their third parties.</p>
<p>It is important to note, however, that third parties are not
governed directly by the regulatory bodies, such as the FTC. The safe harbor website also <a href="http://www.export.gov/safeharbor/eu/eg_main_018476.asp">explicitly notes</a>
that the program does not apply to third parties. Therefore, as per these provisions, Facebook must
adhere to the principles of the program, while its third party platform members
(such as social gaming companies), only must do so indirectly as per a separate
contract with Facebook. The
effectiveness of this indirect mode of governing of third party privacy
practices is questionable for numerous reasons.</p>
<p>Firstly, while Facebook does take steps to ensure that
third parties use information from Facebook in a manner which is consistent to
the safe harbor principles, the company explicitly <a href="http://www.facebook.com/policy.php">waives any guarantee</a> that third
parties will “follow their rules”. Prior to allowing third parties to access any
information about users, Facebook requires third parties to <a href="http://www.facebook.com/terms.php">agree to terms</a> that limit their
use of information, and also use technical measures to ensure that they only
obtain authorized information. Facebook
also warns users to “always review the policies of third party applications and
websites to make sure you are comfortable with the ways in which they use
information”. Not only are users
required to read the privacy policies of every third party application, but are
also expected to report applications which may be in violation of privacy
principles. In this sense, Facebook not
only waives responsibility for third party privacy breaches, but also places further
regulatory onus upon the user.</p>
<p>As the program guidelines express, the safe harbor relies to
a great degree on enforcement by the private sector. However, it is likely that a self-regulatory
framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must
ensure that the privacy practices of third parties are adequate. However, at the same time, the company may
simultaneously waiver their responsibility for third party compliance with safe
harbor principles. Therefore, it remains
questionable as to where responsibility for third parties exactly lies. When third parties are not directly
answerable to the governing bodies of safe harbor program, and when first parties
can to waive responsibility for their practices, from where does the incentive to
effectively regulate third parties to come from? </p>
<p>While Facbeook may in fact take reasonable legal and technical
measures to ensure third party compliance, the room for potential dissonance
between speech and deed is worrisome. Facebook is required to ensure that third
parties provide “<a href="http://www.export.gov/safeharbor/eu/eg_main_018476.asp">at least the same
level of privacy protection</a>” as they do.
However, in practice, this has yet to become the case. A quick survey of twelve of the most popular
Platform Applications in the gaming category showed<a name="_ednref6" href="#_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a>
that third parties are not granting their users the “same level of privacy
protection”[5]. For example, section 9.2.3
of Facebooks “<a href="http://www.facebook.com/terms.php">Rights and
Responsibilities</a>” for Developers/Operators of applications/sites states
that they must “have a privacy policy or otherwise make it clear to users what
user data you are going to use and how you will use, display, or share that
data”. </p>
<p>However, out of the 12 gaming applications surveyed, four
companies failed to make privacy policies available to users <em>before</em> they granted the application
access to the personal information, including that of their friends<a name="_ednref7" href="#_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [6]. After searching for the privacy policies on
the websites of each of the four social gaming companies, two completely failed
to post privacy policies on their central websites. This practice is in direct breach of the
contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly
post privacy policies, many of provisions set out in these policies were
questionable vis-à-vis safe harbor principles. </p>
<p>For example Zynga, makes of popular games Mafia Wars and
Farmville, reserve the right to “maintain copies of your content
indefinitely”. This practice remains contrary
to Safe Harbor principles which states that information should not be kept for
longer than required to run a service.
Electronic Arts also maintains similar provisions for data retention in
its privacy policy. Such practices are
rather worrisome also in light of the fact that both companies also reserve the
right to collect information on users from other sources to supplement profiles
held. This includes (but is not limited
to) newspapers and Internet sources such as blogs, instant messaging services, and
other games. It is also notable to
mention that only one of the twelve social gaming companies surveyed directly
participates in the safe harbor program. </p>
<p>In addition to the difficulties of ensuring that safe harbor
principles are adhered to by third parties, the information asymmetries which
exist between first party sites, citizens, and governance bodies vis-à-vis
third parties complicate this model. Foremost,
it is clear that Facebook, despite its resources, cannot keep tabs on the
practices of all of their applications.
This puts into question if industry self-regulation can really guarantee
that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or
understanding held by citizens about how third parties user their information
is particularly problematic when a system relies so heavily on users to report
suspected privacy breaches. The same is
likely to be true for governments, too. As
one legal scholar, promoting a more laisse-fair approach to third party
regulation, notes—multiple and invisible third party relationships presents
challenges to traditional forms of legal regulation<a name="_ednref8" href="#_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a> [7]. </p>
<p>In an “open “social ecosystem, the sheer volume of data
flows between users of social networking sites and third party players appears
to have become increasingly difficult to effectively regulate. While the safe harbor program has been
successful in establishing best practices and minimum standards for data
privacy, it is also clear that governance bodies, and public interest groups,
have focused most attention on large industry players such as Facebook. This has left smaller third party players on
social networking sites in the shadows of any substantive regulatory concern. If
one this has become clear, it is the fact that governments may no longer be
able to effectively govern the flows of data in the burgeoning context of “open
data”. </p>
<p>As I have demonstrated, it remains questionable whether or
not Facebook can regulate third parties data collection practices
effectively. Imposing more stringent
responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be
undue to impose liability on social networking sites for the data breaches of
third parties. However, it is not
unreasonable to require sites like Facebook go beyond setting “minimum
standards” for data privacy, towards taking a more active enforcement, if even
through TRUSTe or another regulatory body.
If the safe harbor is to be effective, it cannot allow program participants
to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social
networking sites may deem the safe harbor program more effective in sustaining
the non-liability of third parties, rather than protecting the data privacy of
citizens.</p>
<div></div>
<div>
<hr align="left" size="1" width="33%" />
</div>
<p class="discreet"><a name="_edn1" href="#_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a>[1] Official Directive 95/46/EC</p>
<p class="discreet"><a name="_edn2" href="#_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a></p>
<p class="discreet"><a name="_edn3" href="#_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a>[2] 95/46/EC</p>
<p class="discreet">[3] Ibid</p>
<p class="discreet"><a name="_edn4" href="#_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a><a name="_edn5" href="#_ednref5"><span class="MsoEndnoteReference"></span></a>[4] See Acquisit,
A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy
on Facebook. <em>PET 2006</em></p>
<p class="discreet"><a name="_edn6" href="#_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a>[5] Of the Privacy Policy browsed include, Zynga, Rock
You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom,
Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.</p>
<p class="discreet"><a name="_edn7" href="#_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"></span></span></a>[6] By adding an application, users are also sharing with
third parties the information of their friends if they do not specifically opt out of this practice.</p>
<p class="discreet">[7]See<strong>
</strong> Milina, S. (2003).
Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to
Online Profiling. <em>Cardozo Arts and Entertainment Law Journal</em> .</p>
<pre></pre>
<div>
<p> </p>
<p> </p>
</div>
<h2> </h2>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online'>http://editors.cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online</a>
</p>
No publisherrebeccaPrivacyInternet GovernanceFacebookData ProtectionSocial Networking2011-08-02T07:19:34ZBlog EntryIT Act and Commerce
http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce
<b>This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.</b>
<p>This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).</p>
<h2>Definitions</h2>
<p>The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:</p>
<h3>Computer Network</h3>
<p>The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.</p>
<h3>Communication Devices</h3>
<p>The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.</p>
<p>There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.</p>
<h2>Electronic Signatures<br /></h2>
<p>One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.</p>
<p>The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).</p>
<h3>Replacement of Digital Signatures</h3>
<p>The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.</p>
<p>Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable. </p>
<p>The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.</p>
<h3>Dual Requirement</h3>
<p>One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.</p>
<p>Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.</p>
<h3>Emphasis on Digital Signatures</h3>
<p>Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures. </p>
<p>It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.</p>
<h3>Certifying Authorities</h3>
<p>The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.</p>
<h3>Impact on Other Statutes</h3>
<p>Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.</p>
<h2>Data Protection<br /></h2>
<p>Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.</p>
<h3>Data under the IT Act 2000</h3>
<p>The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.</p>
<h3>Data under the IT Act 2008</h3>
<p>Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.</p>
<h3>The Civil Remedies for Data Protection</h3>
<p>The newly introduced Section 43-A reads as follows:</p>
<blockquote>
<p>Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.</p>
<p> Explanation - For the purposes of this section:</p>
<p> (i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</p>
<p>(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and</p>
<p>(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.</p>
</blockquote>
<p>While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.</p>
<h3>Non-Electronic Data</h3>
<p>In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.</p>
<p>It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.</p>
<h3>Classification of Data</h3>
<p>Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject. </p>
<p>The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.</p>
<h3>Consequences</h3>
<p>Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated. </p>
<p>However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.</p>
<h3>Negligence in Implementing Security Practices</h3>
<p>Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.</p>
<p>There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.</p>
<h3>Wrongful Loss and Gain</h3>
<p>The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.</p>
<p>There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.</p>
<h3>Limitation on Liability</h3>
<p>The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.</p>
<h3>Reasonable Security Practices and Procedures</h3>
<p>Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:</p>
<ul><li> By agreement;</li><li>By law; and</li><li>By prescription by the Central Government.</li></ul>
<p><br />As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.</p>
<p>As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.</p>
<h3>The Criminal Remedies for Unlawful Disclosure of Information</h3>
<p>In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.</p>
<p>Section 72-A reads:</p>
<blockquote>
<p> Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.</p>
</blockquote>
<p>In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.</p>
<h3>Personal Information</h3>
<p>The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.</p>
<h3>"Willful"</h3>
<p>The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.</p>
<h3>Service Contracts</h3>
<p>The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.</p>
<h3>Consent</h3>
<p>This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.</p>
<p>Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.</p>
<h3>Media of Material</h3>
<p>This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.</p>
<h3>What’s Missing</h3>
<p>In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce'>http://editors.cis-india.org/internet-governance/blog/it-act-and-commerce</a>
</p>
No publisherpraneshIT ActDigital GovernanceData ProtectionAuthenticationSecurity2011-08-02T07:41:45ZBlog Entry