The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
The 2010 Special 301 Report Is More of the Same, Slightly Less Shrill
http://editors.cis-india.org/a2k/blogs/2010-special-301
<b>Pranesh Prakash examines the numerous flaws in the Special 301 from the Indian perspective, to come to the conclusion that the Indian government should openly refuse to acknowledge such a flawed report. He notes that the Consumers International survey, to which CIS contributed the India report, serves as an effective counter to the Special 301 report.</b>
<h1>Special 301 Report: Unbalanced Hypocrisy</h1>
<p>The United States Trade Representative has put yet another edition of the Special 301 report which details the copyright law and policy wrongdoings of the US's trading partners. Jeremy Malcolm of Consumers International notes that the report this year claims to be "well-balanced assessment of intellectual property protection and enforcement ... taking into account diverse factors", but:</p>
<blockquote>
<p>[I]n fact, the report largely continues to be very one-sided. As in previous editions, it lambasts developing countries for failing to meet unrealistically stringent standards of IP protection that exceed their obligations under international law.</p>
</blockquote>
<p>More the report changes, <a href="http://cis-india.org/advocacy/ipr/blog/consumers-international-ip-watch-list-2009">the more it stays the same</a>. <a href="http://www.michaelgeist.ca/content/view/4684/195/">Despite having wider consultations</a> than just the International Intellectual Property Alliance (IIPA, consisting of US-based IP-maximalist lobbyists like the Motion Picture Association of America, Recording Industry Association of America, National Music Publishers Association, Association of American Publishers, and Business Software Alliance) and the Pharmaceutical Research and Manufacturers of America (PhRMA, consisting of US-based pharma multinationals), things haven't really changed much in terms of the shoddiness of the Special 301 report.</p>
<h1>India and the 2010 Special 301 Report</h1>
<p>The Special 301 report for 2010 contains the following assessment of India:</p>
<blockquote>
<p>India will remain on the Priority Watch List in 2010. India continues to make gradual progress on efforts to improve its legislative, administrative, and enforcement infrastructure for IPR. India has made incremental improvements on enforcement, and its IP offices continued to pursue promising modernization efforts. Among other steps, the United States is encouraged by the Indian government’s consideration of possible trademark law amendments that would facilitate India’s accession to the Madrid Protocol. The United States encourages the continuation of efforts to reduce patent application backlogs and streamline patent opposition proceedings. Some industries report improved engagement and commitment from enforcement officials on key enforcement challenges such as optical disc and book piracy. However, concerns remain over India’s inadequate legal framework and ineffective enforcement. Piracy and counterfeiting, including the counterfeiting of medicines, remains widespread and India’s enforcement regime remains ineffective at addressing this problem. Amendments are needed to bring India’s copyright law in line with international standards, including by implementing the provisions of the WIPO Internet Treaties. Additionally, a law designed to address the unauthorized manufacture and distribution of optical discs remains in draft form and should be enacted in the near term. The United States continues to urge India to improve its IPR regime by providing stronger protection for patents. One concern in this regard is a provision in India’s Patent Law that prohibits patents on certain chemical forms absent a showing of increased efficacy. While the full import of this provision remains unclear, it appears to limit the patentability of potentially beneficial innovations, such as temperature-stable forms of a drug or new means of drug delivery. The United States also encourages India to provide protection against unfair commercial use, as well as unauthorized disclosure, of undisclosed test or other data generated to obtain marketing approval for pharmaceutical and agricultural chemical products. The United States encourages India to improve its criminal enforcement regime by providing for expeditious judicial disposition of IPR infringement cases as well as deterrent sentences, and to change the perception that IPR offenses are low priority crimes. The United States urges India to strengthen its IPR regime and will continue to work with India on these issues in the coming year. </p>
</blockquote>
<p>This short dismissal of the Indian IPR regime, and subsequent classification of India as a "Priority Watch List" country reveals the great many problems with the Special 301.</p>
<h2>On Copyrights</h2>
<ol>
<li>
<p>The report notes that there are "concerns over India's inadequate legal framework and ineffective enforcement". However, nowhere does it bother to point out precisely <em>how</em> India's legal framework is inadequate, and how this is negatively affecting authors and creators, consumers, or even the industry groups (MPAA, RIAA, BSA, etc.) that give input to the USTR via the IPAA. Nor does it acknowledge the well-publicised fact that the statistics put out by these bodies have time and again <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">proven to be wrong</a>:</p>
</li>
<li>
<p>Apart from this bald allegation which has not backing, there is a bald statement about India needing to bring its copyright law "in line with international standards" including "the WIPO Internet Treaties". The WIPO Internet Treaties given that more than half the countries of the world are not signatories to either of the WIPO Internet Treaties (namely the WIPO Copyright Treaty and the WIPO Performance and Phonograms Treaty), calling them 'international standards' is suspect. That apart, both those treaties are TRIPS-plus treaties (requiring protections greater than the already-high standards of the TRIPS Agreement). India has not signed either of them. It should not be obligated to do so. Indeed, Ruth Okediji, a noted copyright scholar, <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1433848">states</a>:</p>
</li>
</ol>
<blockquote>
<p>Consistent with their predecessors, the WIPO Internet Treaties marginalize collaborative forms of creative engagement with which citizens in the global South have long identified and continue in the tradition of assuming that copyright’s most enduring cannons are culturally neutral. [...] The Treaties do not provide a meaningful basis for a harmonized approach to encourage new creative forms in much the same way the Berne Convention fell short of embracing diversity in patterns and modes of authorial expression.</p>
</blockquote>
<ol>
<li>
<p>Some of the of the 'problems' noted in the report are actually seen as being beneficial by many researchers and scholars such as Lawrence Liang, Achal Prabhala, Perihan Abou Zeid <a href="https://sites.google.com/site/iipenforcement/bibliography">and others</a>, who argue that <a href="http://www.altlawforum.org/intellectual-property/publications/articles-on-the-social-life-of-media-piracy/reconsidering-the-pirate-nation">lax enforcement has enabled access to knowledge and promotion of innovation</a>. In a panel on 'Access to Knowledge' at the Internet Governance Forum, <a href="http://a2knetwork.org/access-knowledge-internet-governance-forum">Lea Shaver, Jeremy Malcolm and others</a> who have been involved in that Access to Knowledge movement noted that lack of strict enforcement played a positive role in many developing countries. However, they also noted, with a fair bit of trepidation, that this was sought to be changed at the international level through treaties such as the Anti-Counterfeiting Treaty Agreement (ACTA).</p>
</li>
<li>
<p>The scope of an optical disc law are quite different from copyright law. The report condemns "unauthorized manufacture and distribution of optical discs", however it does not make it clear that what it is talking about is not just unlicensed copying of films (which is already prohibited under the Copyright Act) but the manufacture and distribution of blank CDs and DVDs as well. The need for such a law is assumed, but never demonstrated. It is onerous for CD and DVD manufacturers (such as the Indian company Moserbaer), and is an overbearing means of attacking piracy.</p>
</li>
<li>
<p>The report calls for "improve[ment] [of India's] criminal enforcement regime" and for "deterrent" sentences and expeditious judicial disposition of IPR infringement cases. While we agree with the last suggestion, the first two are most unacceptable. Increased criminal enforcement of a what is essentially a private monopoly right is undesirable. Copyright infringment on non-commercial scales should not be criminal offences at all. What would deter people from infringing copyright laws are not "deterrent sentences" but more convenient and affordable access to the copyright work being infringed.</p>
</li>
</ol>
<h2>On Patents</h2>
<p>Thankfully, this year the Special 301 report does not criticise the Indian Patent Act for providing for post-grant opposition to patent filings, as it has in previous years. However, it still criticises section 3(d) of the Patent Act which ensures that 'evergreening' of drug patents is not allowed by requiring for new forms of known substances to be patented only if "the enhancement of the known efficacy of [the known] substance" is shown. Thus, the US wishes India to change its domestic law to enable large pharma companies to patent new forms of known substances that aren't even better ("enhancement of the known efficacy"). For instance, "new means of drug delivery" will not, contrary to the assertions of the Special 301 report and the worries of PhRMA, be deemed unpatentable.</p>
<p>The United States has been going through much turmoil over its patent system. Reform of the patent system is currently underway in the US through administrative means, judicial means, as well as legislative means. One of the main reasons for this crumbling of the patent system has been the low bar for patentability (most notably the 'obviousness' test) in the United States and the subsequent over-patenting. An <a href="http://supreme.justia.com/us/447/303/case.html">American judgment</a> even noted that "anything under the sun that is made by man" is patentable subject matter. It is well-nigh impossible to take American concerns regarding our high patent standards seriously, given this context.</p>
<h2>Miscellanea</h2>
<p>The harms of counterfeit medicine, as <a href="http://www.cis-india.org/a2k/blog/fallacies-lies-and-video-pirates">we have noted earlier</a>, are separate issues that are best dealt under health safety regulations and consumer laws, rather than trademark law.</p>
<p>Data exclusivity has been noted to be harmful to the progress of generics, and seeks to extend proprietary rights over government-mandated test data. It is [clear from the TRIPS Agreement][de-trips] that data exclusivity is not mandatory. There are clear rationale against it, and the Indian pharmaceutical industry [is dead-set against it][de-india]. Still, the United States Trade Representative persists in acting as a corporate shill, calling on countries such as India to implement such detrimental laws.</p>
<h2>Conclusion</h2>
<p>Michael Geist, professor at University of Ottowa <a href="http://www.michaelgeist.ca/content/view/4997/125">astutely notes</a>:</p>
<blockquote>
<p>Looking beyond just Canada, the list [of countries condemned by the Special 301 report] is so large, that it is rendered meaningless. According to the report, approximately 4.3 billion people live in countries without effective intellectual property protection. Since the report does not include any African countries outside of North Africa, the U.S. is effectively saying that only a small percentage of the world meet its standard for IP protection. Canada is not outlier, it's in good company with the fastest growing economies in the world (the BRIC countries are there) and European countries like Norway, Italy, and Spain.
In other words, the embarrassment is not Canadian law. Rather, the embarrassment falls on the U.S. for promoting this bullying exercise and on the Canadian copyright lobby groups who seemingly welcome the chance to criticize their own country. </p>
</blockquote>
<p>His comments apply equally well for India as well.</p>
<h1>IIPA's Recommendation for the Special 301 Report</h1>
<p>Thankfully, this year <a href="http://www.iipa.com/rbc/2010/2010SPEC301INDIA.pdf">IIPA's recommendations</a> have not been directly copied into the Special 301 report. (They couldn't be incorporated, as seen below.) For instance, the IIPA report notes:</p>
<blockquote>
<p>The industry is also concerned about moves by the government to consider mandating the use of open source software and software of only domestic origin. Though such policies have not yet been implemented, IIPA and BSA urge that this area be carefully monitored.</p>
</blockquote>
<p>Breaking that into two bit:</p>
<h2>Open Source</h2>
<p>Firstly, it is curious to see industry object to legal non-pirated software. Secondly, many of BSA's members (if not most) use open source software, and a great many of them also produce open source software. <a href="http://hp.sourceforge.net/">HP</a> and <a href="http://www-03.ibm.com/linux/ossstds/">IBM</a> have been huge supporters of open source software. Even <a href="http://www.microsoft.com/opensource/">Microsoft has an open source software division</a>. [Intel][intel], <a href="http://www.sap.com/usa/about/newsroom/press.epx?pressid=11410">SAP</a>, <a href="http://www.cisco.com/web/about/doing_business/open_source/index.html">Cisco</a>, <a href="http://linux.dell.com/projects.shtml">Dell</a>, <a href="http://www.sybase.com/developer/opensource">Sybase</a>, <a href="http://www.entrust.com/news/index.php?s=43&item=702">Entrust</a>, <a href="http://about.intuit.com/about_intuit/press_room/press_release/articles/2009/IntuitPartnerPlatformAddsOpenSourceCommunity.html">Intuit</a>, <a href="http://www.synopsys.com/community/interoperability/pages/libertylibmodel.aspx">Synopsys</a>, <a href="http://www.apple.com/opensource/">Apple</a>, <a href="http://www.theregister.co.uk/2005/04/22/jbuilder_eclipse/">Borland</a>, <a href="http://w2.cadence.com/webforms/squeak/">Cadence</a>, <a href="http://usa.autodesk.com/adsk/servlet/item?siteID=123112&id=6153839">Autodesk</a>, and <a href="http://news.cnet.com/8301-13505_3-9967593-16.html">Siemens</a> are all members of BSA which support open source software / produce at least some open source software. And <em>all</em> BSA members rely on open source software (as part of their core products, their web-server, their content management system, etc.) to a lesser or greater extent. BSA's left hand doesn't seem to know what its right hand -- its members -- are doing. Indeed, the IIPA does not seem to realise that the United States' government itself uses [open source software], and has been urged to <a href="http://news.bbc.co.uk/2/hi/7841486.stm">look at FOSS very seriously</a> and is doing so, especially under CIO Vivek Kundra. And that may well be the reason why the USTR could not include this cautionary message in the Special 301 report.</p>
<h2>Domestic Software</h2>
<p>As <a href="http://arstechnica.com/tech-policy/news/2010/04/indias-copyright-proposals-are-un-american-and-thats-bad.ars">this insightful article by Nate Anderson in Ars Technica</a> notes:</p>
<blockquote>
<p>Open source is bad enough, but a "buy Indian" law? That would be <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/buyamerica.aspx?lang=eng">an outrage</a> and surely something the US government would not itself engage in <a href="http://www.canadainternational.gc.ca/sell2usgov-vendreaugouvusa/procurement-marches/ARRA.aspx?lang=eng">as recently as last year</a>. Err, right?</p>
</blockquote>
<p>Furthermore, the IIPA submission do not provide any reference for their claim that "domestic origin" software is being thought of being made a mandatory requirement in governmental software procurement.<br />
</p>
<h2>WCT, WPPT, Camcording, and Statutory Damages</h2>
<p>The IIPA submission also wish that India would:</p>
<ol>
<li>Adopt a system of statutory damages in civil cases; allow compensation to be awarded in criminal cases;</li>
<li>Adopt an optical disc law;</li>
<li>Enact Copyright Law amendments consistent with the WCT and WPPT;</li>
<li>Adopt an anti-camcording criminal provision.</li>
</ol>
<p>Quick counters:</p>
<ol>
<li>Statutory damages (that is, an amount based on statute rather than actual loss) would result in ridiculousness such as the $1.92 million damages that the jury (based on the statutory damages) slapped on Jammie Thomas. The judge in that case <a href="http://arstechnica.com/tech-policy/news/2010/01/judge-slashes-monstrous-jammie-thomas-p2p-award-by-35x.ars">called the damage award</a> "monstrous and shocking" and said that veered into "the realm of gross injustice."</li>
<li>The reasons against an optical disc law are given above. Quick recap: it is a) unnecessary and b) harmful.</li>
<li>India has not signed the WCT and the WPPT. Indian law satisfies all our international obligations. Thus enacting amendments consistent with the WCT and the WPPT is not required.</li>
<li>Camcording of a film is in any case a violation of the Copyright Act, 1957, and one would be hard-pressed to find a single theatre that allows for / does not prohibit camcorders. Given this, the reason for an additional law is, quite frankly, puzzling. At any rate, IIPA in its submission does not go into such nuances.</li>
</ol>
<h2>Further conclusions</h2>
<p><a href="http://spicyipindia.blogspot.com/2010/05/us-special-301-report-and-not-so.html">Shamnad Basheer</a>, an IP professor at NUJS, offer the following as a response:</p>
<blockquote>
<p>"Dear USA,</p>
<p>India encourages you to mind your own business. We respect your sovereignty to frame IP laws according to your national priorities and suggest that you show us the same courtesy. If your grouse is that we haven't complied with TRIPS, please feel free to take us to the WTO dispute panel. Our guess is that panel members familiar with the English language will ultimately inform you that section 3(d) is perfectly compatible with TRIPS. And that Article 39.3 does not mandate pharmaceutical data exclusivity, as you suggest!
More importantly, at that point, we might even think of hauling you up before the very same body for rampant violations, including your refusal to grant TRIPS mandated copyright protection to our record companies, despite a WTO ruling (Irish music case) against you.</p>
<p>Yours sincerely,</p>
<p>India."</p>
</blockquote>
<p>Basheer's suggestion seems to be in line with that Michael Geist who believes that other countries should join Canada and Israel in openly refusing to acknowledge the validity of the Special 301 Reports because they lack ['reliable and objective analysis'][geist-reliable]. And that thought serves as a good coda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/a2k/blogs/2010-special-301'>http://editors.cis-india.org/a2k/blogs/2010-special-301</a>
</p>
No publisherpraneshDevelopmentConsumer RightsAccess to KnowledgeCopyrightPiracyAccess to MedicineIntellectual Property RightsData ProtectionFLOSSTechnological Protection MeasuresPublications2011-10-03T05:37:27ZBlog EntryHow Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill
http://editors.cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function
<b>The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.</b>
<p>The blog post was <a class="external-link" href="https://www.medianama.com/2022/02/223-data-protection-bill-consent-clause-state-function/">published in Medianama</a> on February 18, 2022. This is the first of a two-part series by Amber Sinha.</p>
<hr />
<p style="text-align: justify; ">In 2018, hours after the Committee of Experts led by Justice Srikrishna Committee released their report and draft bill, I wrote <a href="https://www.livemint.com/Opinion/zY8NPWoWWZw8AfI5JQhjmL/Draft-privacy-bill-and-its-loopholes.html">an opinion piece</a> providing my quick take on what was good and bad about the bill. A section of my analysis focused on Clause 12 (then Clause 13) which provides for non-consensual processing of personal data for state functions. I called this provision a ‘carte-blanche’ which effectively allowed the state to process a citizen’s data for practically all interactions between them without having to deal with the inconvenience of seeking consent. My former colleague, Pranesh Prakash <a href="https://twitter.com/pranesh/status/1023116679440621568">pointed out</a> that this was not a correct interpretation of the provision as I had missed the significance of the word ‘necessary’ which was inserted to act as a check on the powers of the state. He also pointed out, correctly, that in its construction, this provision is equivalent to the position in European General Data Protection Regulation (Article 6 (i) (e)), and is perhaps even more restrictive.</p>
<p style="text-align: justify; ">While I agree with what Pranesh says above (his claims are largely factual, and there can be no basis for disagreement), my view of Clause 12 has not changed. While Clause 35 has been a focus of considerable discourse and analysis, for good reason, I continue to believe that Clause 12 remains among the most dangerous provisions of this bill, and I will try to unpack here, why.</p>
<p style="text-align: justify; ">The Data Protection Bill 2021 has a chapter on the grounds for processing personal data, and one of those grounds is consent by the individual. The rest of the grounds deal with various situations in which personal data can be processed without seeking consent from the individual. Clause 12 lays down one of the grounds. It allows the state to process data without the consent of the individual in the following cases —</p>
<p>a) where it is necessary to respond to a medical emergency<br />b) where it is necessary for state to provide a service or benefit to the individual<br />c) where it is necessary for the state to issue any certification, licence or permit<br />d) where it is necessary under any central or state legislation, or to comply with a judicial order<br />e) where it is necessary for any measures during an epidemic, outbreak or public health<br />f) where it is necessary for safety procedures during disaster or breakdown of public order</p>
<p>In order to carry out (b) and (c), there is also the added requirement that the state function must be authorised by law.</p>
<h2>Twin restrictions in Clause 12</h2>
<p style="text-align: justify; ">The use of the words ‘necessary’ and ‘authorised by law’ is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of the state function. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process my data if it needs to do so, to provide me with the service or benefit. The second restriction means that this would apply to only those state functions which are authorised by law, meaning only those functions which are supported by validly enacted legislation.</p>
<p style="text-align: justify; ">What we need to keep in mind regarding Clause 12 is that the requirement of ‘authorised by law’ does not mean that legislation must provide for that specific kind of data processing. It simply means that the larger state function must have legal backing. The danger is how these provisions may be used with broad mandates. If the activity in question is non-consensual collection and processing of, say, demographic data of citizens to create state resident hubs which will assist in the provision of services such as healthcare, housing, and other welfare functions; all that may be required is that the welfare functions are authorised by law.</p>
<h2 style="text-align: justify; ">Scope of privacy under Puttaswamy</h2>
<p style="text-align: justify; ">It would be worthwhile, at this point, to delve into the nature of restrictions that the landmark Puttaswamy judgement discussed that the state can impose on privacy. The judgement clearly identifies the principles of informed consent and purpose limitation as central to informational privacy. As discussed repeatedly during the course of the hearings and in the judgement, privacy, like any other fundamental right, is not absolute. However, restrictions on the right must be reasonable in nature. In the case of Clause 12, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In Puttaswamy, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases.</p>
<p style="text-align: justify; ">The Puttaswamy judgement clearly states that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” By locating the right not just in Article 21 but also in the entirety of Part III, the bench clearly requires that “the drill of various Articles to which the right relates must be scrupulously followed.” This means that where transgressions on privacy relate to different provisions in Part III, the different tests under those provisions will apply along with those in Article 21. For instance, where the restrictions relate to personal freedoms, the tests under both Article 19 (right to freedoms) and Article 21 (right to life and liberty) will apply.</p>
<p style="text-align: justify; ">In the case of Clause 12, the three tests laid down by Justice Chandrachud are most operative —<br />a) the existence of a “law”<br />b) a “legitimate State interest”<br />c) the requirement of “proportionality”.</p>
<p style="text-align: justify; ">The first test is already reflected in the use of the phrase ‘authorised by law’ in Clause 12. The test under Article 21 would imply that the function of the state should not merely be authorised by law, but that the law, in both its substance and procedure, must be ‘fair, just and reasonable.’ The next test is that of ‘legitimate state interest’. In its report, the Joint Parliamentary Committee places emphasis on Justice Chandrachud’s use of “allocation of resources for human development” in an illustrative list of legitimate state interests. The report claims that the ground, functions of the state, thus satisfies the legitimate state interest. We do not dispute this claim.</p>
<h2 style="text-align: justify; ">Proportionality and Clause 12</h2>
<p style="text-align: justify; ">It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement, which is most operative in this context. Unlike Clauses 42 and 43 which include the twin tests of necessity and proportionality, the committee has chosen to only employ one ground in Clause 12. Proportionality is a commonly employed ground in European jurisprudence and common law countries such as Canada and South Africa, and it is also an integral part of Indian jurisprudence. As commonly understood, the proportionality test consists of three parts —</p>
<p>a) the limiting measures must be carefully designed, or rationally connected, to the objective<br />b) they must impair the right as little as possible<br />c) the effects of the limiting measures must not be so severe on individual or group rights that the legitimate state interest, albeit important, is outweighed by the abridgement of rights.</p>
<p style="text-align: justify; ">The first test is similar to the test of proximity under Article 19. The test of ‘necessity’ in Clause 12 must be viewed in this context. It must be remembered that the test of necessity is not limited to only situations where it may not be possible to obtain consent while providing benefits. My reservations with the sufficiency of this standard stem from observations made in the report, as well as the relatively small amount of jurisprudence on this term in Indian law.</p>
<p style="text-align: justify; ">The Srikrishna Report interestingly mentions three kinds of scenarios where consent should not be required — where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at a conclusion that the response to this problem is to further erode the power available to citizens by removing the need for consent altogether under Clause 12. There is limited jurisprudence on the standard of ‘necessity’ under Indian law. The Supreme Court has articulated this test as ‘having reasonable relation to the object the legislation has in view.’ If we look elsewhere for guidance on how to read ‘necessity’, the ECHR in Handyside v United Kingdom held it to be neither “synonymous with indispensable” nor does it have the “flexibility of such expressions as admissible, ordinary, useful, reasonable or desirable.” In short, there must be a pressing social need to satisfy this ground.</p>
<p style="text-align: justify; ">However, the other two tests of proportionality do not find a mention in Clause 12 at all. There is no requirement of ‘narrow tailoring’, that the scope of non-consensual processing must impair the right as little as possible. It is doubly unfortunate that this test does not find a place, as unlike necessity, ‘narrow tailoring’ is a test well understood in Indian law. This means that while there is a requirement to show that processing personal data was necessary to provide a service or benefit, there is no requirement to process data in a way that there is minimal non-consensual processing. The fear is that as long as there is a reasonable relation between processing data and the object of the function of state, state authorities and other bodies authorised by it, do not need to bother with obtaining consent.</p>
<p style="text-align: justify; ">Similarly, the third test of proportionality is also not represented in this provision. It provides a test between the abridgement of individual rights and legitimate state interest in question, and it requires that the first must not outweigh the second. The absence of the proportionality test leaves Clause 12 devoid of any such consideration. Therefore, as long as the test of necessity is met under this law, it need not evaluate the denial of consent against the service or benefit that is being provided.</p>
<p style="text-align: justify; ">The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state, by setting the threshold to circumvent informed consent extremely low. In the next post, I will demonstrate the ease with which Clause 12 can allow indiscriminate data sharing by focusing on the Indian government’s digital healthcare schemes.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function'>http://editors.cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2022-03-01T14:56:49ZBlog EntryClause 12 Of The Data Protection Bill And Digital Healthcare: A Case Study
http://editors.cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study
<b>In light of the state’s emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?</b>
<p>The blog post was <a class="external-link" href="https://www.medianama.com/2022/02/223-data-protection-bill-digital-healthcare-case-study/">published in Medianama</a> on February 21, 2022. This is the second in a two-part series by Amber Sinha.</p>
<hr />
<p style="text-align: justify; ">In the <a href="https://www.medianama.com/2022/02/223-data-protection-bill-consent-clause-state-function/">previous post</a>, I looked at provisions on non-consensual data processing for state functions under the most recent version of recommendations by the Joint Parliamentary Committee on India’s Data Protection Bill (DPB). The true impact of these provisions can only be appreciated in light of ongoing policy developments and real-life implications.</p>
<p style="text-align: justify; ">To appreciate the significance of the dilutions in Clause 12, let us consider the Indian state’s range of schemes promoting digital healthcare. In July 2018, NITI Aayog, a central government policy think tank in India released a strategy and approach paper (Strategy Paper) on the formulation of the National Health Stack which envisions the creation of a federated application programming interface (API)-enabled health information ecosystem. While the Ministry of Health and Family Welfare has focused on the creation of Electronic Health Records (EHR) Standards for India during the last few years and also identified a contractor for the creation of a centralised health information platform (IHIP), this Strategy Paper advocates a completely different approach, which is described as a Personal Health Records (PHR) framework. In 2021, the National Digital Health Mission (NDHM) was launched under which a citizen shall have the option to obtain a digital health ID. A digital health ID is a unique ID and will carry all health records of a person.</p>
<h2 style="text-align: justify; ">A Stack Model for Big Data Ecosystem in Healthcare</h2>
<p style="text-align: justify; ">A stack model as envisaged in the Strategy Paper, consists of several layers of open APIs connected to each other, often tied together by a unique health identifier. The open nature of APIs has the advantage that it allows public and private actors to build solutions on top of it, which are interoperable with all parts of the stack. It is however worth considering both the ‘openness’ and the role that the state plays in it.</p>
<p style="text-align: justify; ">Even though the APIs are themselves open, they are a part of a pre-decided technological paradigm, built by private actors and blessed by the state. Even though innovators can build on it, the options available to them are limited by the information architecture created by the stack model. When such a technological paradigm is created for healthcare reform and health data, the stack model poses additional challenges. By tying the stack model to the unique identity, without appropriate processes in place for access control, siloed information, and encrypted communication, the stack model poses tremendous privacy and security concerns. The broad language under Clause 12 of the DPB needs to be looked at in this context.</p>
<p>Clause 12 allows non-consensual processing of personal data where it is necessary “for the performance of any function of the state authorised by law” in order to provide a service or benefit from the State. In the previous post, I had highlighted the import of the use of only ‘necessity’ to the exclusion of ‘proportionality’. Now, we need to consider its significance in light of the emerging digital healthcare apparatus being created by the state.</p>
<p style="text-align: justify; ">The National Health Stack and National Digital Health Mission together envision an intricate system of data collection and exchange which in a regulatory vacuum would ensure unfettered access to sensitive healthcare data for both the state and private actors registered with the platforms. The Stack framework relies on repositories where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the health records for delivering services to the individual. The cast of characters involve the National Health Authority, health care providers and insurers who access the National Health Electronic Registries, unified data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI), private actors such as Swasth, iSpirt who assist the Mission as volunteers. The currency that government and private actors are interested in is data.</p>
<p style="text-align: justify; ">The promised benefits of healthcare data in an anonymised and aggregate form range from Disease Surveillance to Pharmacovigilance as well as Health Schemes Management Systems and Nutrition Management, benefits which have only been more acutely emphasised during the pandemic. However, the pandemic has also normalised the sharing of sensitive healthcare data with a variety of actors, without much thinking on much-needed data minimisation practises.</p>
<p style="text-align: justify; ">The potential misuses of healthcare data include greater state surveillance and control, predatory and discriminatory practices by private actors which rely on Clause 12 to do away with even the pretense of informed consent so long as the processing of data is deemed necessary by the state and its private sector partners to provide any service or benefit.</p>
<p style="text-align: justify; ">Subclause (e) in Clause 12, which was added in the last version of the Bill drafted by MeitY and has been retained by the JPC, allows processing wherever it is necessary for ‘any measures’ to provide medical treatment or health services during an epidemic, outbreak or threat to public health. Yet again, the overly-broad language used here is designed to ensure that any annoyances of informed consent can be easily brushed aside wherever the state intends to take any measures under any scheme related to public health.</p>
<p style="text-align: justify; ">Effectively, how does the framework under Clause 12 alter the consent and purpose limitation model? Data protection laws introduce an element of control by tying purpose limitation to consent. Individuals provide consent to specified purposes, and data processors are required to respect that choice. Where there is no consent, the purposes of data processing are sought to be limited by the necessity principle in Clause 12. The state (or authorised parties) must be able to demonstrate necessity to the exercise of state function, and data must only be processed for those purposes which flow out of this necessity. However, unlike the consent model, this provides an opportunity to keep reinventing purposes for different state functions.</p>
<p style="text-align: justify; ">In the absence of a data protection law, data collected by one agency is shared indiscriminately with other agencies and used for multiple purposes beyond the purpose for which it was collected. The consent and purpose limitation model would have addressed this issue. But, by having a low threshold for non-consensual processing under Clause 12, this form of data processing is effectively being legitimised.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study'>http://editors.cis-india.org/internet-governance/blog/medianama-february-21-2022-amber-sinha-data-protection-bill-digital-healthcare-case-study</a>
</p>
No publisheramberData GovernanceInternet GovernanceData ProtectionPrivacy2022-03-01T15:07:44ZBlog EntryNothing to Kid About – Children's Data Under the New Data Protection Bill
http://editors.cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill
<b>The pandemic has forced policymakers to adapt their approach to people's changing practices, from looking at contactless ways of payment to the shifting of educational institutions online.</b>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The article was originally <a class="external-link" href="https://www.ijlt.in/post/nothing-to-kid-about-children-s-data-under-the-new-data-protection-bill">published in the Indian Journal of Law and Technology</a></p>
<hr />
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">For children, the internet has shifted from being a form of entertainment to a medium to connect with friends and seek knowledge and education. However, each time they access the internet, data about them and their choices are inadvertently recorded by companies and unknown third parties. The growth of EdTech apps in India has led to growing concerns regarding children's data privacy. This has led to the creation of a <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">self-regulatory</a> body, the Indian EdTech Consortium. More recently, the <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">Advertising Standard Council of India</a><span class="_3zM-5"> has </span>also started looking at passing a draft regulation to keep a check on EdTech advertisements.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The Joint Parliamentary Committee (JPC), tasked with drafting and revising the Data Protection Bill, had to consider the number of changes that had happened after the release of the 2019 version of the Bill. While the most significant change was the removal of the term “personal data” from the title of the Bill, in a move to create a comprehensive Data Protection Bill that includes both personal and non personal data. Certain other provisions of the Bill also featured additions and removals. The JPC, in its revised version of the Bill has removed an entire class of <a class="_1lsz7 _3Bkfb" href="https://prsindia.org/billtrack/the-personal-data-protection-bill-2019#:~:text=Obligations%20of%20data%20fiduciary%3A%20A,specific%2C%20clear%20and%20lawful%20purpose" rel="noopener noreferrer" target="_blank">data fiduciaries</a> – guardian data fiduciary – which was tasked with greater responsibility for managing children's data. While the JPC justified the removal of the guardian data fiduciary stating that consent from the guardian of the child is enough to meet the end for which personal data of children are processed by the data fiduciary. While thought has been given to looking at how consent is given by the guardian on behalf of the child, there was no change in the age of children in the Bill. Keeping the age of consent under the Bill as the same as the age of majority to enter into a contract under the 1872 Indian Contract Act – 18 years – reveals the disconnect the law has with the ground reality of how children interact with the internet.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">In the current state of affairs where Indian children are navigating the digital world on their own there is a need to look deeply at the processing of children’s data as well as ways to ensure that children have information about consent and informational privacy. By placing the onus of granting consent on parents, the PDP Bill fails to look at how consent works in a privacy policy–based consent model and how this, in turn, harms children in the long run.</p>
<h3 class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d aujbK _3M0Fe _1FoOD iWv3d _1j-51 mm8Nw">1. Age of Consent</h3>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">By setting the age of consent as 18 years under the Data Protection Bill, 2021, it brings all individuals under 18 years of age under one umbrella without making a distinction between the internet usage of a 5-year-old child and a 16-year-old teenager. There is a need to look at the current internet usage habits of children and assess whether requiring parental consent is reasonable or even practical. It is also pertinent to note that the law in the offline world does make the distinction between age and maturity. For example, it has been <a class="_1lsz7 _3Bkfb" href="https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill" rel="noopener noreferrer" target="_blank">highlighted</a> that Section 82 of the Indian Penal Code, read with Section 83, states that any act by a child under the age of 12 years shall not be considered an offence, while the maturity of those aged between 12–18 years will be decided by the court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industries, which would qualify them to fall under Section 13 of the Bill, which deals with employee data.</p>
<p style="text-align: justify; "><span>A 2019 </span><a class="_1lsz7 _3Bkfb" href="https://reverieinc.com/wp-content/uploads/2020/09/IAMAI-Digital-in-India-2019-Round-2-Report.pdf" rel="noopener noreferrer" target="_blank">report</a><span> suggests that two-thirds of India’s internet users are in the 12–29 years age group, accounting for about 21.5% of the total internet usage in metro cities. With the emergence of cheaper phones equipped with faster processing and low internet data costs, children are no longer passive consumers of the internet. They have social media accounts and use several applications to interact with others and make purchases. There is a need to examine how children and teenagers interact with the internet as well as the practicality of requiring parental consent for the usage of applications.</span></p>
<p style="text-align: justify; "><span>Most applications that require age data request users to type in their date of birth; it is not difficult for a child to input a suitable date that would make it appear that they are </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">over 18</a><span>. In this case they are still children but the content that will be presented to them would be those that are meant for adults including content that might be disturbing or those involving use of </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">alcohol and gambling. </a><span>Additionally, in their privacy policies, applications sometimes state that they are not suited for and restricted from users under 18. Here, data fiduciaries avoid liability by placing the onus on the user to declare their age and properly read and understand the privacy policy.</span></p>
<p style="text-align: justify; "><span>Reservations about the age of consent under the Bill have also been highlighted by some members of the JPC through their dissenting opinions. </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Ritesh Pandey </a><span>suggested that the age of consent should be reduced to 14 years keeping the best interest of the children in mind as well as to support children in benefiting from technological advances. Similarly, </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Manish Tiwari </a><span>in his dissenting opinion suggested regulating data fiduciaries based on the type of content they provide or data they collect.</span></p>
<h3><span>2. How is the 2021 Bill Different from the 2019 Bill?</span></h3>
<p style="text-align: justify; "><span>The </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf" rel="noopener noreferrer" target="_blank">2019 </a><span>draft of the Bill consisted of a class of data fiduciaries called guardian data fiduciaries – entities that operate commercial websites or online services directed at children or which process large volumes of children’s personal data. This class of fiduciaries was barred from profiling, tracking, behavioural monitoring, and running targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child. In the previous draft, such data fiduciaries were not allowed to engage in ‘profiling, tracking, behavioural monitoring of children, or direct targeted advertising at children’. There was also a prohibition on conducting any activities that might significantly harm the child. As per Chapter IV, any violation could attract a penalty of up to INR 15 crore of the worldwide turnover of the data fiduciary for the preceding financial year, whichever is higher. However, this separate class of data fiduciaries do not have any additional responsibilities. It is also unclear as to whether a data fiduciary that does not by definition fall within such a category would be allowed to engage in activities that could cause ‘significant harm’ to children.</span></p>
<p style="text-align: justify; "><span>The new Bill also does not provide any mechanisms for age verification and only lays down considerations that verification processes should be undertaken. Furthermore, the JPC has suggested that consent options available to the child when they attain the age of majority i.e. 18 years should be included within the rule frame by the Data Protection Authority instead of being an amendment in the Bill.</span></p>
<h3><span>3. In the Absence of a Guardian Data Fiduciary</span></h3>
<p style="text-align: justify; "><span>The 2018 and 2019 drafts of the PDP Bill consider a child to be any person below the age of 18 years. For a child to access online services, the data fiduciary must first verify the age of the child and obtain consent from their guardian. The Bill does not provide an explicit process for age verification apart from stating that regulations shall be drafted in this regard. The 2019 Bill states that the Data Protection Authority shall specify codes of practice in this matter. Taking best practices into account, there is a need for ‘</span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/project-brief-highlighting-inclusive-and-practical-mechanisms-to-protect-childrens-data.pdf" rel="noopener noreferrer" target="_blank">user-friendly and privacy-protecting age verification techniques</a><span>’ to encourage safe navigation across the internet. This will require </span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/bp-global-technological-developments-in-age-verification-and-age-estimation.pdf" rel="noopener noreferrer" target="_blank">looking at </a><span>technological developments and different standards worldwide. There is a need to hold companies </span><a class="_1lsz7 _3Bkfb" href="https://www.livemint.com/opinion/columns/theres-a-better-way-to-protect-the-online-privacy-of-kids-11615306723478.html" rel="noopener noreferrer" target="_blank">accountable</a><span> for the protection of children’s online privacy and the harm that their algorithms cause children and to make sure that they are not continued.</span></p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The JPC in the 2021 version of the Bill removed provisions about guardian data fiduciaries, stating that there was no advantage in creating a different class of data fiduciary. As per the JPC, even those data fiduciaries that did not fall within the said classification would also need to comply with rules pertaining to the personal data of children i.e. with Section 16 of the Bill. Section 16 of the Bill requires the data fiduciary to verify the child’s age and obtain consent from the parent/guardian. The manner of age verification has also een spelt out. Furthermore, since ‘significant data fiduciaries’ is an existing class, there is still a need to comply with rules related to data processing. The JPC also removed the phrase “in the best interests of, the child” and “is in the best interests of, the child” under sub-clause 16(1), implying that the entire Bill concerned the rights of the data principal and the use of such terms dilutes the purpose of the legislation and could give way to manipulation by the data fiduciary.</p>
<h3><span>Conclusion</span></h3>
<p style="text-align: justify; "><span>Over the past two years, there has been a significant increase in applications that are targeted at children. There has been a proliferation of EduTech apps, which ideally should have more responsibility as they are processing children's data. We recommend that instead of creating a separate category, such fiduciaries collecting children's data or providing services to children be seen as ‘significant data fiduciaries’ that need to take up additional compliance measures.</span></p>
<p style="text-align: justify; "><span>Furthermore, any blanket prohibition on tracking children may obstruct safety measures that could be implemented by data fiduciaries. These fears are also increasing in other jurisdictions as there is a likelihood to restrict data fiduciaries from using software that looks out for such as </span><a class="_1lsz7 _3Bkfb" href="https://www.unodc.org/e4j/en/cybercrime/module-12/key-issues/online-child-sexual-exploitation-and-abuse.html" rel="noopener noreferrer" target="_blank">Child Sexual Abuse Material</a><span> as well as online predatory behaviour. Additionally, concerning the age of consent under the Bill, the JPC could look at international best practices and come up with ways to make sure that children can use the internet and have rights over their data, which would enable them to grow up with more awareness about data protection and privacy. One such example to look at could be the Children's Online Privacy Protection Rule (COPPA) in the US, where the rules apply to operators of websites and online services that collect personal information from kids </span><a class="_1lsz7 _3Bkfb" href="https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance" rel="noopener noreferrer" target="_blank">under 13 </a><span>or provide services to children that are directed at a general audience, but have actual knowledge that they collect personal information from such children. A form of combination of this system and the significant data fiduciary classification could be one possible way to ensure that children’s data and privacy are preserved online.</span></p>
<hr />
<p>The authors are researchers at the Centre for Internet and Society and thank their colleague Arindrajit Basu for his inputs.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill'>http://editors.cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill</a>
</p>
No publisherShweta Mohandas and Anamika KunduDigitalisationDigital KnowledgeInternet GovernanceData ProtectionData Management2022-03-10T13:19:52ZBlog EntryPrivacy is not a unidimensional concept
http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept
<b>Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.</b>
<div>This article, written by Amber Sinha was published in the <a class="external-link" href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhar-privacy-is-not-a-unidimensional-concept/articleshow/59716562.cms">Economic Times</a> on July 23, 2017. </div>
<div>
<br /></div>
<div>In a disappointing case of judicial evasion by the apex court,
it has taken over 600 days since a reference order passed in
August 11, 2015, for this bench to be constituted. Over two days
of arguments, the counsels for the petitioners have presented
before the court why the right to privacy, despite not finding a
mention in the Constitution of India, is a fundamental right
essential to a person’s dignity and liberty, and must be read into
not one but multiple articles of the Constitution. The government
will make its arguments in the coming week.</div>
<div>One must wonder why we are debating the contours of the right
to privacy, which 40 years of jurisprudence had lulled us into
believing we already had. The answer to that can be found in a
series of hearings in the Aadhaar case that began in 2012. Justice
KS Puttaswamy, a former Karnataka High Court judge, filed a
petition before the Supreme Court, questioning the validity of the
Aadhaar project due its lack of legislative basis (since then the
Aadhaar Act was passed in 2016) and its transgressions on our
fundamental rights. Over time, a number of other petitions also
made their way to the apex court, challenging different aspects of
the Aadhaar project. Since then, five different interim orders by
the Supreme Court have stated that no person should suffer because
they do not have an Aadhaar number. Aadhaar, according to the
court, could not be made mandatory to avail benefits and services
from government schemes. Further, the court has limited the use of
Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social
Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br />
<br /></div>
<div>The real spanner in the works in the progress of this case was
the stand taken by Mukul Rohatgi, then attorney general of India
who, in a hearing before the court in July 2015, stated that there
is no constitutionally guaranteed right to privacy. His reliance
was on two Supreme Court judgments in MP Sharma v Satish Chandra
(1954) and Kharak Singh v State of Uttar Pradesh (1962): both
cases, decided by eight- and six-judge benches respectively,
denied the existence of a constitutional right to privacy. As the
subsequent judgments which upheld the right to privacy were by
smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh
still prevailed over them, until they were overruled by a larger
bench.</div>
<div>The reference to a larger bench has since delayed the entire
matter, even as a number of government schemes have made Aadhaar
mandatory. This reading of privacy as a unidimensional concept by
the courts is, with due respect, erroneous. Privacy, as a concept,
includes within its scope, spatial, familial, informational and
decisional aspects. We all have a legitimate expectation of
privacy in our private spaces, such as our homes, and in our
personal relationships. Similarly, we must be able to exercise
some control over how personal data, like our financial
information, are disseminated. Most importantly, privacy gives us
the space to make autonomous choices and decisions without
external interference. All these dimensions of privacy must stand
as distinct rights. In MP Sharma, the court rejected a certain
aspect of the right of privacy by refusing to acknowledge a right
against search and seizure. This, in no way prevented the court,
even in the form of a smaller bench, from ruling on any other
aspects of privacy, including those that are relevant to the
Aadhaar case.</div>
<div> </div>
<div>The limited referral to this bench means that the court will
have to rule on the status of privacy and its possible limitations
in isolation, without even going into the details of the Aadhaar
case (based on the nature of protection that this bench accords to
privacy, the petitioners and defendants in the Aadhaar case will
have to argue afresh on whether the project does impede on this
most fundamental right). There are no facts of the case to ground
the legal principles in, and defining the contours of a right can
be a difficult exercise. The court must be wary of how any limits
they put on the right may be used in future. Equally, it is
important to articulate that any limitations on the right to
privacy due to competing interests such as national security and
public interest must be imposed only when necessary and always be
proportionate. <br />
<br /></div>
<p>
It will not be enough for the court to merely state that we have a
constitutional right to privacy. They would be well advised to cut
through the muddle of existing privacy jurisprudence, and
unequivocally establish the various facets of the right. Without
that, we may not be able to withstand the modern dangers of
surveillance, denial of bodily integrity and self-determination
through forcible collection of information. The nine judges, in
their collective wisdom, must not only ensure that we have a right
to privacy, but also clearly articulate a robust reading of this
right capable of withstanding the growing interferences with our
autonomy.</p>
<div> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept'>http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept</a>
</p>
No publisheramberInternet GovernanceAadhaarData ProtectionPrivacy2017-08-07T08:02:20ZBlog EntryThe National Privacy Principles
http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles
<b>In this infographic, we try to break down the National Privacy Principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.</b>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p><img alt="" /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles'>http://editors.cis-india.org/internet-governance/blog/the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaData ProtectionPrivacy2016-03-21T09:48:23ZBlog EntryContestations of Data, ECJ Safe Harbor Ruling and Lessons for India
http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india
<b>The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse. </b>
<p align="justify">The European Court of Justice
(ECJ) has invalidated a European Commission (EC) decision<a class="sdfootnoteanc" name="sdfootnote1anc" href="#sdfootnote1sym"><sup>1</sup></a>
which had previously concluded that the 'Safe Harbor Privacy
Principles'<a class="sdfootnoteanc" name="sdfootnote2anc" href="#sdfootnote2sym"><sup>2</sup></a>
provide adequate protections for European citizens’ privacy rights<a class="sdfootnoteanc" name="sdfootnote3anc" href="#sdfootnote3sym"><sup>3</sup></a>
for the transfer of personal data between European Union and United
States. This challenge stems from the claim that public law
enforcement authorities in America obtain personal data from
organisations in safe harbour for incompatible and disproportionate
purposes in violation of the Safe Harbour Privacy Principles. The
court's judgment follows the advice of the Advocate General of the
Court of Justice of the European Union (CJEU) who recently opined<a class="sdfootnoteanc" name="sdfootnote4anc" href="#sdfootnote4sym"><sup>4</sup></a>
that US practices allow for large-scale collection and transfer of
personal data belonging to EU citizens without them benefiting from
or having access to judicial protection under US privacy laws. The
inadequacies of the framework is not news for the Commission and
action by ECJ has been a long time coming. The ruling raises
important questions about how increasingly the contestations of
personal data are being employed in asserting claims of citizenship
in context of the internet.</p>
<p align="justify">
As the highest court in Europe,
the ECJ's decisions are binding on all member states. With this
ruling the ECJ has effectively restrained US firms from
indiscriminate collection and sharing of European citizens’ data on
American soil. The implications of the decision are significant,
because it shifts the onus of evaluating protections of personal data
for EU citizens from the 4,400 companies<a class="sdfootnoteanc" name="sdfootnote5anc" href="#sdfootnote5sym"><sup>5</sup></a>
subscribing to the system onto EU privacy watchdogs. Most
significantly, in addressing the rights of a citizen against an
established global brand, the judgement goes beyond political and
legal opinion to challenge the power imbalance that exists with
reference to US based firms.</p>
<p align="justify">
Today, the free movement of data
across borders is a critical factor in facilitating trade, financial
services, governance, manufacturing, health and development. However,
to consider the ruling as merely a clarification of transatlantic
mechanisms for data flows misstates the real issue. At the heart of
the judgment is the assessment whether US firms apply the tests of
‘necessity and proportionality’ in the collection and
surveillance of data for national security purposes. Application of
necessity and proportionality test to national security exceptions
under safe harbor has been a sticking point that has stalled the
renegotiation of the agreement that has been underway between the
Commission and the American data protection authorities.<a class="sdfootnoteanc" name="sdfootnote6anc" href="#sdfootnote6sym"><sup>6</sup></a></p>
<p align="justify">
For EU citizens the stake in the
case are even higher, as while their right to privacy is enshrined
under EU law, they have no administrative or judicial means of
redress, if their data is used for reasons they did not intend. In
the EU, citizens accessing and agreeing to use of US based firms are
presented with a false choice between accessing benefits and giving
up on their fundamental right to privacy. In other words, by seeking
that governments and private companies provide better data protection
for the EU citizens and in restricting collection of personal data on
a generalised basis without objective criteria, the ruling is
effectively an assertion of ‘data sovereignty’. The term ‘data
sovereignty’, while lacking a firm definition, refers to a spectrum
of approaches adopted by different states to control data generated
in or passing through national internet infrastructure.<a class="sdfootnoteanc" name="sdfootnote7anc" href="#sdfootnote7sym"><sup>7</sup></a>
Underlying the ruling is the growing policy divide between the US and
EU privacy and data protection standards, which may lead to what is
referred to as the balkanization<a class="sdfootnoteanc" name="sdfootnote8anc" href="#sdfootnote8sym"><sup>8</sup></a>
of the internet in the future.</p>
<p align="justify">
<em>US-EU Data Protection Regime </em></p>
<p align="justify">
The safe harbor pact between the
EU and US was negotiated in the late 1990s as an attempt to bridge
the different approaches to online privacy. Privacy is addressed in
the EU as a fundamental human right while in the US it is defined
under terms of consumer protection, which<em><strong>
</strong></em>allow trade-offs
and exceptions when national security seems to be under threat. In
order to address the lower standards of data protection prevalent in
the US, the pact facilitates data transfers from EU to US by
establishing certain safeguards equivalent to the requirements of the
EU data protection directive. The safe harbor provisions include
firms undertaking not to pass personal information to third parties
if the EU data protection standards are not met and giving users
right to opt out of data collection.<a class="sdfootnoteanc" name="sdfootnote9anc" href="#sdfootnote9sym"><sup>9</sup></a></p>
<p align="justify">
The agreement was due to be
renewed by May 2015<a class="sdfootnoteanc" name="sdfootnote10anc" href="#sdfootnote10sym"><sup>10</sup></a>
and while negotiations have been ongoing for two years, EU discontent
on safe harbour came to the fore following the Edward Snowden
revelations of collection and monitoring facilitated by large private
companies for the PRISM program and after the announcement of the
TransAtlantic Trade and Investment Partnership (TTIP).<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><sup>11</sup></a>
EU member states have mostly stayed silent as they run their own
surveillance programs often times, in cooperation with the NSA. EU
institutions cannot intervene in matters of national security
however, they do have authority on data protection matters. European
Union officials and Members of Parliament have expressed shock and
outrage at the surveillance programs unveiled by Snowden's 2013
revelations. Most recently, following the CJEU Advocate General’s
opinion, 50 Members of European Parliament (MEP) sent a strongly
worded letter the US Congress hitting back on claims of ‘digital
protectionism’ emanating from the US<a class="sdfootnoteanc" name="sdfootnote12anc" href="#sdfootnote12sym"><sup>12</sup></a>.
In no uncertain terms the letter clarified that the EU has different
ideas on privacy, platforms, net neutrality, encryption, Bitcoin,
zero-days, or copyright and will seek to improve and change any
proposal from the EC in the interest of our citizens and of all
people.</p>
<p align="justify">
<em>Towards Harmonization </em></p>
<p align="justify">
In November 2013, as an attempt
to minimize the loss of trust following the Snowden revelations, the
European Commission (EC) published recommendations in its report on
'Rebuilding Trust is EU-US Data Flows'.<a class="sdfootnoteanc" name="sdfootnote13anc" href="#sdfootnote13sym"><sup>13</sup></a>
The recommendations revealed two critical initiatives at the EU
level—first was the revision of the EU-US safe harbor agreement<a class="sdfootnoteanc" name="sdfootnote14anc" href="#sdfootnote14sym"><sup>14</sup></a>
and second the adoption of the 'EU-US Umbrella Agreement<a class="sdfootnoteanc" name="sdfootnote15anc" href="#sdfootnote15sym"><sup>15</sup></a>'—a
framework for data transfer for the purpose of investigating,
detecting, or prosecuting a crime, including terrorism. The Umbrella
Agreement was recently initialed by EU and US negotiators and it only
addresses the exchange of personal data between law enforcement
agencies.<a class="sdfootnoteanc" name="sdfootnote16anc" href="#sdfootnote16sym"><sup>16</sup></a>
The Agreement has gained momentum in the wake of recent cases around
issues of territorial duties of providers, enforcement jurisdictions
and data localisation.<a class="sdfootnoteanc" name="sdfootnote17anc" href="#sdfootnote17sym"><sup>17</sup></a>
However, the adoption of the Umbrella Act depends on US Congress
adoption of the<em><strong>
</strong></em>Judicial Redress
Act (JRA) as law.<a class="sdfootnoteanc" name="sdfootnote18anc" href="#sdfootnote18sym"><sup>18</sup></a></p>
<p align="justify">
<em>Judicial Redress Act </em></p>
<p align="justify">
The JRA is a key reform that the
EC is pushing for in an attempt to address the gap between privacy
rights and remedies available to US citizens and those extended to EU
citizens, including allowing EU citizens to sue in American courts.
The JRA seeks to extend certain protections under the Privacy Act to
records shared by EU and other designated countries with US law
enforcement agencies for the purpose of investigating, detecting, or
prosecuting criminal offenses. The JRA protections would extend to
records shared under the Umbrella Agreement and while it does include
civil remedies for violation of data protection, as noted by the
Center for Democracy and Technology, the present framework does not
provide citizens of EU countries with redress that is at par with
that which US persons enjoy under the Privacy Act.<a class="sdfootnoteanc" name="sdfootnote19anc" href="#sdfootnote19sym"><sup>19</sup></a></p>
<p align="justify">
For example, the measures
outlined under the JRA would only be applicable to countries that
have outlined appropriate privacy protections agreements for data
sharing for investigations and ‘efficiently share’ such
information with the US. Countries that do not have agreements with
US cannot seek these protections leaving the personal data of their
citizens open for collection and misuse by US agencies. Further, the
arrangement leaves determination of 'efficiently sharing' in the
hands of US authorities and countries could lose protection if they
do not comply with information sharing requests promptly. Finally,
JRA protections do not apply to non-US persons nor to records shared
for purposes other than law enforcement such as intelligence
gathering. JRA is also weakened by allowing heads of agencies to
exercise their discretion to seek exemption from the Act and opt out
of compliance.</p>
<p align="justify">
Taken together the JRA, the
Umbrella Act and the renegotiation of the Safe Harbor Agreement need
considerable improvements. It is worth noting that EU’s acceptance
of the redundancy of existing agreements and in establishing the
independence of national data protection authorities in investigating
and enforcing national laws as demonstrated in the Schrems and in the
Weltimmo<a class="sdfootnoteanc" name="sdfootnote20anc" href="#sdfootnote20sym"><sup>20</sup></a>
case point to accelerated developments in the broader EU privacy
landscape.</p>
<p align="justify">
<em>Consequences </em></p>
<p align="justify">
The ECJ Safe Harbor ruling will
have far-reaching consequences for the online industry. Often, costly
government rulings solidify the market dominance of big companies. As
high regulatory costs restrict the entrance of small and medium
businesses the market, competition is gradually wiped out. Further,
complying with high standards of data protection means that US firms
handling European data will need to consider alternative legal means
of transfer of personal data. This could include evolving 'model
contracts' binding them to EU data protection standards. As Schrems
points out, “Big companies don’t only rely on safe harbour: they
also rely on binding corporate rules and standard contractual
clauses.”<a class="sdfootnoteanc" name="sdfootnote21anc" href="#sdfootnote21sym"><sup>21</sup></a></p>
<p align="justify">
The ruling is good news for
European consumers, who can now approach a national regulator to
investigate suspicions of data mishandling. EU data protection
regulators may be be inundated with requests from companies seeking
authorization of new contracts and with consumer complaints. Some are
concerned that the ruling puts a dent in the globalized flow of
data<a class="sdfootnoteanc" name="sdfootnote22anc" href="#sdfootnote22sym"><sup>22</sup></a>,
effectively requiring data localization in Europe.<a class="sdfootnoteanc" name="sdfootnote23anc" href="#sdfootnote23sym"><sup>23</sup></a>
Others have pointed out that it is unclear how this decision sits
with other trade treaties such as the TPP that ban data
localisation.<a class="sdfootnoteanc" name="sdfootnote24anc" href="#sdfootnote24sym"><sup>24</sup></a>
While the implications of the decision will take some time in playing
out, what is certain is that US companies will be have to
restructure management, storage and use of data. The ruling has
created the impetus for India to push for reforms to protect its
citizens from harms by US firms and improve trade relations with EU.</p>
<p align="justify"><em>The Opportunity for India</em></p>
<p align="justify">
Multiple data flows taking place
over the internet simultaneously and that has led to ubiquity of data
transfers o ver the Internet, exposing individuals to privacy risks.
There has also been an enhanced economic importance of data
processing as businesses collect and correlate data using analytic
tools to create new demands, establish relationships and generate
revenue for their services. The primary concern of the Schrems case
may be the protection of the rights of EU citizens but by seeking to
extend these rights and ensure compliance in other jurisdictions, the
case touches upon many underlying contestations around data and
sovereignty.</p>
<p align="justify">
Last year, Mr Ram Narain, India
Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through
network functionality and global norms will go a long way in
increasing the trust and confidence in use of ICT.”<a class="sdfootnoteanc" name="sdfootnote25anc" href="#sdfootnote25sym"><sup>25</sup></a>
In the absence of the recognition of privacy as a right and
empowering citizens through measures or avenues to seek redressal
against misuse of data, the demand of data sovereignty rings empty.
The kind of framework which empowered an ordinary citizen in the EU
to approach the highest court seeking redressal based on presumed
overreach of a foreign government and from harms abetted by private
corporations simply does not exist in India. Securing citizen’s
data in other jurisdictions and from other governments begins with
establishing protection regimes within the country.</p>
<p align="justify">
The Indian government has also
stepped up efforts to restrict transfer of data from India including
pushing for private companies to open data centers in India.<a class="sdfootnoteanc" name="sdfootnote26anc" href="#sdfootnote26sym"><sup>26</sup></a>
Negotiating data localisation does not restrict the power of private
corporations from using data in a broad ways including tailoring ads
and promoting products. Also, data transfers impact any organisation
with international operations for example, global multinationals who
need to coordinate employee data and information. Companies like
Facebook, Google and Microsoft transfer and store data belonging to
Indian citizens and it is worth remembering that the National
Security Agency (NSA) would have access to this data through servers
of such private companies. With no existing measures to restrict such
indiscriminate access, the ruling purports to the need for India to
evolve strong protection mechanisms. Finally, the lack of such
measures also have an economic impact, as reported in a recent
Nasscom-Data Security Council of India (DSCI) survey<a class="sdfootnoteanc" name="sdfootnote27anc" href="#sdfootnote27sym"><sup>27</sup></a>
that pegs revenue losses incurred by the Indian IT-BPO industry at
$2-2.5 billion for a sample size of 15 companies. DSCI has further
estimated that outsourcing business can further grow by $50 billion
per annum once India is granted a “data secure” status by the
EU.<a class="sdfootnoteanc" name="sdfootnote28anc" href="#sdfootnote28sym"><sup>28</sup></a>
EU’s refusal to grant such a status is understandable given the
high standard of privacy as incorporated under the European Union
Data Protection Directive a standard to which India does not match
up, yet. The lack of this status prevents the flow of data which is
vital for Digital India vision and also affects the service industry
by restricting the flow of sensitive information to India such as
information about patient records.</p>
<p align="justify">
Data and information structures
are controlled and owned by private corporations and networks
transcend national borders, therefore the foremost emphasis needs to
be on improving national frameworks. While, enforcement mechanisms
such as the Mutual Legal Assistance Treaty (MLAT) process or other
methods of international cooperation may seem respectful of
international borders and principles of sovereignty,<a class="sdfootnoteanc" name="sdfootnote29anc" href="#sdfootnote29sym"><sup>29</sup></a>
for users that live in undemocratic or oppressive regimes such
agreements are a considerable risk. Data is also increasingly being
stored across multiple jurisdictions and therefore merely applying
data location lens to protection measures may be too narrow. Further
it should be noted that when companies begin taking data storage
decisions based on legal considerations it will impact the speed and
reliability of services.<a class="sdfootnoteanc" name="sdfootnote30anc" href="#sdfootnote30sym"><sup>30</sup></a>
Any future regime must reflect the challenges of data transfers
taking place in legal and economic spaces that are not identical and
may be in opposition. Fundamentally, the protection of privacy will
always act as a barrier to the free flow of information even so, as
the Schrems case ruling points out not having adequate privacy
protections could also restrict flow of data, as has been the case
for India.</p>
<p align="justify">
The time is right for India to
appoint a data controller and put in place national frameworks, based
on nuanced understanding of issues of applying jurisdiction to govern
users and their data. Establishing better protection measures will
not only establish trust and enhance the ability of users to control
data about themselves it is also essential for sustaining economic
and social value generated from data generation and collection.
Suggestions for such frameworks have been considered previously by
the Group of Experts on Privacy constituted by the Planning
Commission.<a class="sdfootnoteanc" name="sdfootnote31anc" href="#sdfootnote31sym"><sup>31</sup></a>
By incorporating transparency in mechanisms for data and access
requests and premising requests on established necessity and
proportionality Indian government can lead the way in data protection
standards. This will give the Indian government more teeth to
challenge and address both the dangers of theft of data stored on
servers located outside of India and restrain indiscriminate access
arising from terms and conditions of businesses that grant such
rights to third parties. </p>
<div id="sdfootnote1">
<p>
<a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC
of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and
related frequently asked questions issued by the US Department of
Commerce (notified under document number C(2000) 2441) (Text with
EEA relevance.) <em>Official
Journal L 215 , 25/08/2000 P. 0007 -0047 </em>
2000/520/EC:
<u><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">http</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">://</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eur</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">-</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">lex</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">europa</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">eu</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">/</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">LexUriServ</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">.</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">do</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">?</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">uri</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">=</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">CELEX</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:32000</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">D</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">0520:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">EN</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">:</a><a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML">HTML</a></u></p>
</div>
<div id="sdfootnote2">
<p>
<a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>
Safe Harbour Privacy Principles Issued by the U.S. Department of
Commerce on July 21, 2000
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote3">
<p>
<a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>
Megan Graham, <a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Some</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">on</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">the</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">European</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Court</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">’</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">s</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">,
</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">Just</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">security</a></p>
<p>
<u><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">https</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">://</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">www</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">justsecurity</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">.</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">org</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/26651/</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">adding</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">nuance</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">ecj</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">safe</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">harbor</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">-</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">decision</a><a href="https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/">/</a></u></p>
</div>
<div id="sdfootnote4">
<p>
<a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>
Advocate
General’s Opinion in Case C-362/14 Maximillian Schrems v Data
Protection Commissioner Court of Justice of the European Union,
Press Release, No 106/15 Luxembourg, 23 September 2015
<u><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">http</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">://</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">curia</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">europa</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">eu</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">jcms</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">upload</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">docs</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">application</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">/2015-09/</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">cp</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">150106</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">en</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">.</a><a href="http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote5">
<p>
<a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour
alternatives’, The Register, October 7, 2015
<u><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">http</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">://</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">www</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">theregister</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">co</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">.</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">uk</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/2015/10/07/</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">eu</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">pushes</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">safe</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">harbour</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">_</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">alternatives</a><a href="http://www.theregister.co.uk/2015/10/07/eu_pushes_safe_harbour_alternatives/">/</a></u> </p>
</div>
<div id="sdfootnote6">
<p>
<a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
Draft Report, General Data Protection Regulation, Committee on Civil
Liberties, Justice and Home Affairs, European Parliament, 2009-2014
<a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">http</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">://</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">www</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europarl</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">europa</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">eu</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">meetdocs</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/2009_2014/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">documents</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">libe</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pr</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">/922/922387/922387</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">en</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">.</a><a href="http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf">pdf</a></p>
</div>
<div id="sdfootnote7">
<p>
<a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS
Characteristics: Data Sovereignty and the Balkanisation of the
Internet’, University of Oxford, July 7, 2014
<u><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">https</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">://</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">www</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">usenix</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">org</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">system</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">files</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">conference</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14/</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">foci</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">14-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">polatin</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">-</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">reuben</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">.</a><a href="https://www.usenix.org/system/files/conference/foci14/foci14-polatin-reuben.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote8">
<p>
<a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
Sasha
Meinrath, The Future of the Internet: Balkanization and Borders,
Time, October 2013
<u><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">http</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">://</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">ideas</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">time</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">.</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">com</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/2013/10/11/</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">future</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">of</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">the</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">internet</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">balkanization</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">and</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">-</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">borders</a><a href="http://ideas.time.com/2013/10/11/the-future-of-the-internet-balkanization-and-borders/">/</a></u></p>
</div>
<div id="sdfootnote9">
<p>
<a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
Safe Harbour Privacy Principles, Issued by the U.S. Department of
Commerce, July 2001
<u><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">http</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">://</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">www</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">export</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">gov</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">safeharbor</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eu</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">/</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">eg</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">main</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">_018475.</a><a href="http://www.export.gov/safeharbor/eu/eg_main_018475.asp">asp</a></u></p>
</div>
<div id="sdfootnote10">
<p>
<a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a>
Facebook
case may force European firms to change data storage practices, The
Guardian, September 23, 2015
<u><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">http</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">://</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">www</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">theguardian</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">.</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">com</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">news</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/2015/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">sep</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">/23/</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">us</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">intelligence</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">services</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">surveillance</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">-</a><a href="http://www.theguardian.com/us-news/2015/sep/23/us-intelligence-services-surveillance-privacy">privacy</a></u></p>
</div>
<div id="sdfootnote11">
<p>
<a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>
Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013
<u><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">https</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">://</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">iapp</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">.</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">org</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">news</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">a</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">/</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">us</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">eu</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">safe</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">harbor</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">under</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">-</a><a href="https://iapp.org/news/a/us-eu-safe-harbor-under-pressure">pressure</a></u></p>
</div>
<div id="sdfootnote12">
<p>
<a class="sdfootnotesym" name="sdfootnote12sym" href="#sdfootnote12anc">12</a>
Kieren
McCarthy, Privacy, net neutrality, security, encryption ... Europe
tells Obama, US Congress to back off, The Register, 23 September,
2015
<u><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">http</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">://</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">www</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">theregister</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">co</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">.</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">uk</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/2015/09/23/</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">european</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">politicians</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">to</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">congress</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">back</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">_</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">off</a><a href="http://www.theregister.co.uk/2015/09/23/european_politicians_to_congress_back_off/">/</a></u></p>
</div>
<div id="sdfootnote13">
<p>
<a class="sdfootnotesym" name="sdfootnote13sym" href="#sdfootnote13anc">13</a>
Communication from the Commission to the European Parliament and the
Council, Rebuilding Trust in EU-US Data Flows, European Commission,
November 2013
<u><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">http</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">://</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">ec</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">europa</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">eu</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">justice</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">data</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">-</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">protection</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">files</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">/</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">com</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">_2013_846_</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">en</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">.</a><a href="http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote14">
<p>
<a class="sdfootnotesym" name="sdfootnote14sym" href="#sdfootnote14anc">14</a>
Safe
Harbor on trial in the European Union, Access Blog, September 2014
<u><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">https</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">://</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">www</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">accessnow</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">.</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">org</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">blog</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">/2014/11/13/</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">safe</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">harbor</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">on</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">trial</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">in</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">the</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">european</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">-</a><a href="https://www.accessnow.org/blog/2014/11/13/safe-harbor-on-trial-in-the-european-union">union</a></u></p>
</div>
<div id="sdfootnote15">
<p>
<a class="sdfootnotesym" name="sdfootnote15sym" href="#sdfootnote15anc">15</a>
European
Commission - Fact Sheet Questions and Answers on the EU-US data
protection "Umbrella agreement", September 8, 2015
<u><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">http</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">://</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">europa</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">eu</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">rapid</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">/</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">press</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">release</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">MEMO</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">-15-5612_</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">en</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">.</a><a href="http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm">htm</a></u> </p>
</div>
<div id="sdfootnote16">
<p>
<a class="sdfootnotesym" name="sdfootnote16sym" href="#sdfootnote16anc">16</a>
McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data
transfers’, Lexology, September 14, 2015
<u><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">http</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">://</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">www</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">lexology</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">com</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">library</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">/</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">detail</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">.</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">aspx</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">?</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">g</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">=422</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">bca</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">41-2</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">54-4648-</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">ae</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">57-00</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">d</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">678515</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">e</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">1</a><a href="http://www.lexology.com/library/detail.aspx?g=422bca41-2d54-4648-ae57-00d678515e1f">f</a></u></p>
</div>
<div id="sdfootnote17">
<p>
<a class="sdfootnotesym" name="sdfootnote17sym" href="#sdfootnote17anc">17</a>
Andrew
Woods, Lowering the Temperature on the Microsoft-Ireland Case,
Lawfare September, 2015
<u><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">https</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">://</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">www</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lawfareblog</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">.</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">com</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">/</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">lowering</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">temperature</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">microsoft</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">ireland</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">-</a><a href="https://www.lawfareblog.com/lowering-temperature-microsoft-ireland-case">case</a></u></p>
</div>
<div id="sdfootnote18">
<p>
<a class="sdfootnotesym" name="sdfootnote18sym" href="#sdfootnote18anc">18</a>
Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement
and the Judicial Redress Act: Small Steps Forward for EU Citizens’
Privacy Rights’, October 5, 2015
<u><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">https</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">://</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">cdt</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">.</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">org</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">blog</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">us</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">umbrella</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">agreement</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">and</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">the</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">judicial</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">redress</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">act</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">small</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">steps</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">forward</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">for</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">eu</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">citizens</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">privacy</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">-</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">rights</a><a href="https://cdt.org/blog/the-eu-us-umbrella-agreement-and-the-judicial-redress-act-small-steps-forward-for-eu-citizens-privacy-rights/">/</a></u></p>
</div>
<div id="sdfootnote19">
<p>
<a class="sdfootnotesym" name="sdfootnote19sym" href="#sdfootnote19anc">19</a>
Ibid 18.</p>
</div>
<div id="sdfootnote20">
<p>
<a class="sdfootnotesym" name="sdfootnote20sym" href="#sdfootnote20anc">20</a>
Landmark ECJ data protection ruling could impact Facebook and
Google, The Guardian, 2 October, 2015
<u><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">http</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">://</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">www</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">.</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">com</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">technology</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">oct</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">/02/</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">landmark</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ecj</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">data</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">protection</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">ruling</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">google</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">-</a><a href="http://www.theguardian.com/technology/2015/oct/02/landmark-ecj-data-protection-ruling-facebook-google-weltimmo">weltimmo</a></u></p>
</div>
<div id="sdfootnote21">
<p>
<a class="sdfootnotesym" name="sdfootnote21sym" href="#sdfootnote21anc">21</a>
Julia Powles, Tech companies like Facebook not above the law, says
Max Schrems, The Guardian, Octover 9, 2015
<a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">http</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">://</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">www</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">theguardian</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">.</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">com</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">technology</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/2015/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">oct</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">/09/</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">facebook</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">data</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">privacy</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">max</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">schrems</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">european</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">court</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">of</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">-</a><a href="http://www.theguardian.com/technology/2015/oct/09/facebook-data-privacy-max-schrems-european-court-of-justice">justice</a></p>
</div>
<div id="sdfootnote22">
<p>
<a class="sdfootnotesym" name="sdfootnote22sym" href="#sdfootnote22anc">22</a>
Adam
Thierer,
Unintended
Consequences of the EU Safe Harbor Ruling, The Technology Liberation
Front, October 6, 2015
<u><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">http</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">://</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">techliberation</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">.</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">com</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/2015/10/06/</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">unintended</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">consequenses</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">of</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">the</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">eu</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">safe</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">harbor</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">ruling</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">/#</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">more</a><a href="http://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#more-75831">-75831</a></u></p>
</div>
<div id="sdfootnote23">
<p>
<a class="sdfootnotesym" name="sdfootnote23sym" href="#sdfootnote23anc">23</a>
Anupam
Chander, Tweeted ECJ<a href="https://twitter.com/hashtag/schrems?src=hash">
#</a><a href="https://twitter.com/hashtag/schrems?src=hash">schrems</a>
ruling may effectively require data localization within Europe,
<u><a href="https://twitter.com/AnupamChander/status/651369730754801665">https</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">://</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">twitter</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">.</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">com</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">AnupamChander</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">status</a><a href="https://twitter.com/AnupamChander/status/651369730754801665">/651369730754801665</a></u></p>
</div>
<div id="sdfootnote24">
<p>
<a class="sdfootnotesym" name="sdfootnote24sym" href="#sdfootnote24anc">24</a>
Lokman Tsui, Tweeted, “If the TPP bans data localization, but the
ECJ ruling effectively mandates it, what does that mean for the
internet?”
<u><a href="https://twitter.com/lokmantsui/status/651393867376275456">https</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">://</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">twitter</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">.</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">com</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">lokmantsui</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">status</a><a href="https://twitter.com/lokmantsui/status/651393867376275456">/651393867376275456</a></u></p>
</div>
<div id="sdfootnote25">
<p>
<a class="sdfootnotesym" name="sdfootnote25sym" href="#sdfootnote25anc">25</a>
Statement from Indian Head of Delegation, Mr Ram Narain for WGPL,
<a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Indian</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">statement</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">on</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">ITU</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">and</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Internet</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">at</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">the</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Working</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Group</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">Plenary</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">November</a><a href="https://ccgnludelhi.wordpress.com/2014/11/04/indian-statement-on-itu-and-internet-at-the-working-group-plenary/">
4, 2014 </a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">https</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">://</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">ccgnludelhi</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">wordpress</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">.</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">com</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">author</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">asukum</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">87/</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">page</a><a href="https://ccgnludelhi.wordpress.com/author/asukum87/page/2/">/2/</a></p>
</div>
<div id="sdfootnote26">
<p>
<a class="sdfootnotesym" name="sdfootnote26sym" href="#sdfootnote26anc">26</a>
Sounak
Mitra, Xiaomi bets big on India despite problems, Business Standard,
December 2014
<u><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">http</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">://</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">www</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">business</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">standard</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">com</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">article</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">companies</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">/</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">xiaomi</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">bets</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">big</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">on</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">india</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">despite</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">problems</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">-114122201023_1.</a><a href="http://www.business-standard.com/article/companies/xiaomi-bets-big-on-india-despite-problems-114122201023_1.html">html</a></u></p>
</div>
<div id="sdfootnote27">
<p>
<a class="sdfootnotesym" name="sdfootnote27sym" href="#sdfootnote27anc">27</a>
Neha
Alawadi, Ruling on data flow between EU & US may impact India’s
IT sector, Economic Times,October 7, 2015
<a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">http</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49250738.</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49250738.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></p>
</div>
<div id="sdfootnote28">
<p>
<a class="sdfootnotesym" name="sdfootnote28sym" href="#sdfootnote28anc">28</a>
Pranav Menon, Data Protection Laws in India and Data Security-
Impact on India and Data Security-Impact on India - EU Free Trade
Agreement, CIS Access to Knowledge, 2011
<u><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">http</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">://</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">cis</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">org</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">a</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">2</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">k</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">blogs</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">/</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">data</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">security</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">laws</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">-</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">india</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">.</a><a href="http://cis-india.org/a2k/blogs/data-security-laws-india.pdf">pdf</a></u></p>
</div>
<div id="sdfootnote29">
<p>
<a class="sdfootnotesym" name="sdfootnote29sym" href="#sdfootnote29anc">29</a>
Surendra
Kumar Sinha, India wants Mutual Legal Assistance treaty with
Bangladesh, Economic Times, October 7, 2015
h<u><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">ttp</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">://</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">economictimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">indiatimes</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">com</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">articleshow</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">/49262294.</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cms</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">?</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">source</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">contentofinterest</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">medium</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">text</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">&</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">utm</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">_</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">campaign</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">=</a><a href="http://economictimes.indiatimes.com/articleshow/49262294.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst">cppst</a></u></p>
</div>
<div id="sdfootnote30">
<p>
<a class="sdfootnotesym" name="sdfootnote30sym" href="#sdfootnote30anc">30</a>
Pablo
Chavez, Director, Public Policy and Government Affairs, Testifying
before the U.S. Senate on transparency legislation, November 3,
2013
<u><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">http</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">://</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">googlepublicpolicy</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">blogspot</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">in</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">/2013/11/</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">testifying</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">before</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">us</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">senate</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">-</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">on</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">.</a><a href="http://googlepublicpolicy.blogspot.in/2013/11/testifying-before-us-senate-on.html">htm</a></u> </p>
</div>
<div id="sdfootnote31">
<p>
<a class="sdfootnotesym" name="sdfootnote31sym" href="#sdfootnote31anc">31</a>
Report
of the Group of Experts on Privacy (Chaired by Justice A P Shah,
Former Chief Justice, Delhi High Court), Planning Commission,
October 2012
<u><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">://</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">planningcommission</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">nic</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">in</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">reports</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">genrep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">/</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">rep</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">_</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">privacy</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">.</a><a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">pdf</a></u></p>
<p align="justify"> </p>
</div>
<div id="sdfootnote31">
<p align="justify"> </p>
</div>
<div id="sdfootnote30"> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india'>http://editors.cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india</a>
</p>
No publisherjyotiAccess to KnowledgeDigital EconomyPublic AccountabilityPrivacyPlatform ResponsibilityData ProtectionAccountabilityDigital SecurityDigital IndiaInternet Governance2015-10-14T14:40:08ZBlog EntryReconfiguring Data Governance: Insights from India and the EU
http://editors.cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu
<b>This policy paper is the result of a workshop organised jointly by the Tilburg Institute of Law, Technology and Society, Netherlands, the Centre for Communication Governance at the National Law University Delhi, India and the Centre for Internet & Society, India in January, 2023. The workshop brought together a number of academics, researchers, and industry representatives in Delhi to discuss a range of issues at the core of data governance theory and practice. </b>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/ReconfiguringDataGovernance.png/@@images/70165fe1-cc66-4cac-9f99-b7485c87218a.png" alt="Reconfiguring Data Governance" class="image-inline" title="Reconfiguring Data Governance" /></p>
<p style="text-align: justify; ">The workshop aimed to compare and assess lessons from data governance from India and the European Union, and to make recommendations on how to design fit-for-purpose institutions for governing data and AI in the European Union and India.</p>
<p style="text-align: justify; ">This policy paper collates key takeaways from the workshop by grounding them across three key themes: how we conceptualise data; how institutional mechanisms as well as community-centric mechanisms can work to empower individuals, and what notions of justice these embody; and finally a case study of enforcement of data governance in India to illustrate and evaluate the claims in the first two sections.</p>
<p style="text-align: justify; ">This report was a collaborative effort between researchers Siddharth Peter De Souza, Linnet Taylor, and Anushka Mittal at the Tilburg Institute for Law, Technology and Society (Netherlands), Swati Punia, Sristhti Joshi, and Jhalak M. Kakkar at the Centre for Communication Governance at the National Law University Delhi (India) and Isha Suri, and Arindrajit Basu at the Centre for Internet & Society, India.</p>
<hr />
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/reconfiguring-data-governance.pdf"><b>report</b></a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu'>http://editors.cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu</a>
</p>
No publisherSwati Punia, Srishti Joshi, Siddharth Peter De Souza, Linnet Taylor, Jhalak M. Kakkar, Isha Suri, Arindrajit Basu, and Anushka MittalInternet GovernanceData GovernanceData ProtectionData Management2024-02-20T00:30:00ZBlog EntryElectoral Databases – Privacy and Security Concerns
http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns
<b>In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.</b>
<p></p>
<p> </p>
<p style="text-align: justify; ">The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.<a href="#_edn1" name="_ednref1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> After due consideration, the ECI has decided to drop the plan.<a href="#_edn2" name="_ednref2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a></p>
<p style="text-align: justify; ">The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.</p>
<p style="text-align: justify; "><b>Publication of Electoral Rolls</b><br />The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.</p>
<p style="text-align: justify; ">The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document<a href="#_edn3" name="_ednref3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> given that the roll is published and can be circulated on the direction of the ECI.</p>
<p style="text-align: justify; ">With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.<a href="#_edn4" name="_ednref4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> In addition to that, the electoral rolls for the entire country are available on the ECI website.<a href="#_edn5" name="_ednref5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.<a href="#_edn6" name="_ednref6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a></p>
<p style="text-align: justify; "><b>Security Concerns</b><br />The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.</p>
<p style="text-align: justify; ">In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “<i>With Great Computing Power Comes Great Surveillance”</i><a href="#_edn7" name="_ednref7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a> Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain</p>
<p style="text-align: justify; ">For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.</p>
<p style="text-align: justify; "><b>Current IT Laws does not mandate the protection of the electoral database</b><br />A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”<a href="#_edn8" name="_ednref8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> However, the appropriate Government has not notified the electoral database as a protected system<a href="#_edn9" name="_ednref9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a>. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.</p>
<p style="text-align: justify; ">The Information Technology Rules (IT Rules) are also not applicable to electoral databases, <i>per se</i>. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (<i>hereinafter </i>Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”<a href="#_edn10" name="_ednref10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> and should arguably be made subject to the Rules.</p>
<p style="text-align: justify; ">The intent of the ECI for hosting the entire country’s electoral database online <i>inter alia</i> is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”<a href="#_edn11" name="_ednref11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.</p>
<p style="text-align: justify; ">The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.</p>
<p style="text-align: justify; "><b>Conclusion</b><br />Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.</p>
<p style="text-align: justify; ">It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.</p>
<div>
<hr align="left" size="1" width="100%" />
<div id="edn1">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref1" name="_edn1"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[i]</span></span></a> Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at <a class="external-link" href="http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss">http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss</a></p>
</div>
<div id="edn2">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref2" name="_edn2"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ii]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
<div id="edn3">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref3" name="_edn3"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iii]</span></span></a> Section 74, Indian Evidence Act, 1872</p>
</div>
<div id="edn4">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref4" name="_edn4"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[iv]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/the_function.aspx">eci.nic.in/eci_main1/the_function.aspx</a></p>
</div>
<div id="edn5">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref5" name="_edn5"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[v]</span></span></a> <a class="external-link" href="http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx">http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx</a></p>
</div>
<div id="edn6">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref6" name="_edn6"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vi]</span></span></a> “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at e<a class="external-link" href="http://eci.nic.in/eci_main/eroll&epic/ins06012010.pdf">ci.nic.in/eci_main/eroll&epic/ins06012010.pdf</a><span dir="RTL"></span></p>
</div>
<div id="edn7">
<p class="MsoEndnoteText"><a href="#_ednref7" name="_edn7"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[vii]</span></span></a><a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf"><span><span class="MsoEndnoteReference"><span class="MsoEndnoteReference"> </span></span></span>http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/</a></p>
</div>
<div id="edn8">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref8" name="_edn8"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[viii]</span></span></a> Section 70, Information Technology Act, 2000</p>
</div>
<div id="edn9">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref9" name="_edn9"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[ix]</span></span></a> Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure</p>
</div>
<div id="edn10">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref10" name="_edn10"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[x]</span></span></a> Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011</p>
</div>
<div id="edn11">
<p class="MsoEndnoteText" style="text-align: justify; "><a href="#_ednref11" name="_edn11"><span class="MsoEndnoteReference"><span class="MsoEndnoteReference">[xi]</span></span></a> Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at <a class="external-link" href="http://eci.nic.in/eci_main1/current/PN09012014.pdf">http://eci.nic.in/eci_main1/current/PN09012014.pdf</a></p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns'>http://editors.cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns</a>
</p>
No publishersnehashishDigital GovernancePrivacyCybersecurityData ProtectionInternet GovernanceSafetyInformation TechnologyCyber SecuritySecuritye-GovernanceTransparency, PoliticsE-Governance2014-01-16T11:07:21ZBlog EntryPrivacy after Big Data: Compilation of Early Research
http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research
<b>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This is a growing body of research that we are exploring and
is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</b>
<p> </p>
<h4><a href="https://github.com/cis-india/website/raw/master/docs/CIS_PrivacyAfterBigData_CompilationOfEarlyResearch_2016.11.pdf">Download the Compilation</a> (PDF)</h4>
<hr />
<h3><strong>Privacy after Big Data</strong></h3>
<p>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.</p>
<p>These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.</p>
<p>These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.</p>
<p>Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.</p>
<p>Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.</p>
<p>In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</p>
<p><em>Elonnai Hickok</em><br />Director - Internet Governance</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research'>http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research</a>
</p>
No publisherSaumyaa NaiduHuman RightsIT ActBig DataPrivacyInternet GovernanceSmart CitiesData ProtectionInformation TechnologyPublications2016-11-12T01:37:03ZBlog EntryBeyond the PDP Bill: Governance Choices for the DPA
http://editors.cis-india.org/internet-governance/blog/trishi-jindal-and-s-vivek-beyond-the-pdp-bill
<b>This article examines the specific governance choices the Data Protection Authority (DPA) in India must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.</b>
<p style="text-align: justify;">The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on 11 December 2019. It lays down an overarching framework for personal data protection in India. Once revised and approved by Parliament, it is likely to establish the first comprehensive data protection framework for India. However, the provisions of the Bill are only one component of the forthcoming data protection framework It further proposes setting up the Data Protection Authority (DPA) to oversee the final enforcement, supervision, and standard-setting. The Bill consciously chooses to vest the responsibility of administering the framework with a regulator instead of a government department. As an independent agency, the DPA is expected to be autonomous from the legislature and the Central Government and capable of making expert-driven regulatory decisions in enforcing the framework.</p>
<p style="text-align: justify;">Furthermore, the DPA is not merely an implementing authority; it is also expected to develop privacy regulations for India by setting standards. As such, it will set the day-to-day obligations of regulated entities under its supervision. Thus, the effectiveness with which it carries out its functions will be the primary determinant of the impact of this Bill (or a revised version thereof) and the data protection framework set out under it.</p>
<p style="text-align: justify;">The final version for the PDP Bill may or may not provide the DPA with clear guidance regarding its functions. In this article, we emphasise the need to look beyond the Bill and instead examine the specific governance choices the DPA must deliberate on vis-à-vis its standard-setting function, which are distinct from those it will encounter as part of its enforcement and supervision functions.</p>
<p style="text-align: justify;"><strong>A brief timeline of the genesis of a distinct privacy regulator for India</strong></p>
<p style="text-align: justify;">The vision of an independent regulator for data protection in India emerged over the course of several intervening processes that set out to revise India’s data protection laws. In fact, the need for a dedicated data protection regulation for India, with enforceable obligations and rights, was debated years before the <a href="https://thewire.in/government/privacy-aadhaar-supreme-court">Aadhaar</a>, <a href="https://www.thehindu.com/news/national/urgent-need-for-data-protection-laws-experts/article23314655.ece">Cambridge Analytica</a>, and <a href="https://www.livemint.com/opinion/online-views/pegasus-has-given-privacy-legislation-a-jab-of-urgency-11628181453098.html">Pegasus</a><sup> </sup>revelations captured the public imagination and mainstreamed conversations on privacy.</p>
<p style="text-align: justify;">The <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">Right to Privacy Bill, 2011</a>, which never took off, recognised the right to privacy in line with Article 21 of the Constitution of India, which pertains to the right to life and personal liberty. The Bill laid down express conditions for collecting and processing data and the rights of data subjects. It also proposed setting up a Data Protection Authority (DPA) to supervise and enforce the law and advise the government in policy matters. Upon review by the Cabinet, it was <a href="https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy">suggested</a> that the Authority be revised to an Advisory Council, given its role under the Bill was limited.</p>
<p style="text-align: justify;">Subsequently, in 2012, the AP Shah Committee Report <a href="https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf">recommended</a> a principle-based data protection law, focusing on set standards while refraining from providing granular rules, to be enforced through a co-regulatory structure. This structure would consist of central and regional-level privacy commissioners, self-regulatory bodies, and data protection officers appointed by data controllers. There were also a few private members’ bills <a href="https://saveourprivacy.in/media/all/Brief-PDP-Bill-25.12.2020.pdf">introduced</a> between 2011 and 2019.</p>
<p style="text-align: justify;">None of these efforts materialised, and the regulatory regime for data protection and privacy remained embedded within the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). Though the <a href="https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf">SPDI Rules</a> require body corporates to secure personal data, their enforcement is <a href="https://www.indiacode.nic.in/show-data?actid=AC_CEN_45_76_00001_200021_1517807324077&orderno=49">limited</a> to cases of negligence in abiding by these limited set of obligations pertaining to sensitive personal information only, and which have caused wrongful loss or gain – a high threshold to prove for aggrieved individuals. Otherwise, the <a href="https://www.meity.gov.in/writereaddata/files/GSR314E_10511%281%29_0.pdf">Intermediary Guidelines</a>, 2011 require all intermediaries to generally follow these Rules under Rule 3(8). The enforcement of these obligations is <a href="https://www.ikigailaw.com/dispute-resolution-framework-under-the-information-technology-act-2000/#acceptLicense">entrusted</a> to adjudicating officers (AO) appointed by the central government, who are typically bureaucrats appointed as AOs in an ex-officio capacity.</p>
<p style="text-align: justify;">By 2017, the Aadhaar litigations had provided additional traction to the calls for a dedicated and enforceable data protection framework in India. In its judgement, the Supreme Court <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf">recognised</a> the right to privacy as a fundamental right in India and stressed the need for a dedicated data protection law. Around the same time, the Ministry of Electronics and Information Technology (MeitY) constituted a <a href="https://pib.gov.in/newsite/PrintRelease.aspx?relid=169420">committee of experts</a> under the chairmanship of Justice BN Srikrishna. The Srikrishna Committee undertook public consultations on a 2017 <a href="https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf">white paper</a>, which culminated in the nearly comprehensive <a href="https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf">Personal Data Protection Bill, 2018</a>, and an accompanying <a href="https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf">report</a>. This 2018 Bill outlined a regulatory framework of personal data processing for India and defined data processing entities as fiduciaries, which owe a duty of care to individuals to whom personal data relates. The Bill provided for the setting up of an independent regulator that would, among other things, specify further standards for data protection and administer and enforce the provisions of the Bill.</p>
<p style="text-align: justify;">MeitY invited public comments on this Bill and tabled a revised version, the Personal Data Protection <a href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf">Bill</a>, 2019 (PDP Bill), in the Lok Sabha in December 2019. Following public pressure calling for detailed discussions on the Bill before its passing, it was referred to a <a href="http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1">Joint Parliamentary Committee</a> (JPC) constituted for this purpose. It currently remains under review; the JPC is <a href="https://www.hindustantimes.com/india-news/need-state-level-data-protection-authorities-joint-parliamentary-committee-mp-amar-patnaik-101632679181340.html">reportedly</a> expected to table its report in the 2021 Winter Session of Parliament. Though the Bill is likely to undergo another <a href="https://www.hindustantimes.com/india-news/over-100-drafting-changes-proposed-to-jpc-on-data-protection-bill-101631730726756.html">round of revisions</a> following the JPC’s review, this is the closest India has come to realising its aspirations of establishing a dedicated and enforceable data protection framework.</p>
<p style="text-align: justify;">This Bill carries forward the choice of a distinct regulatory body, though <a href="https://thewire.in/tech/india-data-protection-authority-needs-constitutional-entrenchment">questions remain</a> on the degree of its independence, given the direct control granted to the central government in appointing its members and funding the DPA.</p>
<p style="text-align: justify;"><strong>Conceptualising an Independent DPA</strong></p>
<p style="text-align: justify;">The Srikrishna Committee’s 2017 white paper and its 2018 report on the PDP Bill discuss the need for a regulator in the context of <em>enforcement</em> of its provisions. However, the DPA under the PDP Bill is tasked with extensive powers to frame detailed regulations and codes of conduct to inform the day-to-day obligations of data fiduciaries and processors. To be clear, the standard-setting function for a regulator <a href="https://ssrn.com/abstract=1393647">entails</a> laying down the standards based on which regulated entities (i.e. the data fiduciaries) will be held accountable, and the manner in which they may conduct themselves while undertaking the regulated activity (i.e. personal data processing). This is in addition to its administrative and enforcement, and quasi-judicial functions, as outlined below:</p>
<p style="text-align: justify;"><strong>Functions of the DPA under the PDP Bill 2019</strong></p>
<p style="text-align: justify;"><strong><img src="http://editors.cis-india.org/home-images/PDPBill.png/@@images/93bcf598-962a-48f1-b1b1-78933dac5d27.png" alt="null" class="image-inline" title="PDP" /></strong></p>
<p style="text-align: justify;">At this stage, it is important to note that the choice of regulation via a regulator is distinct from the administration of the Bill by the central or state governments. Creating a distinct regulatory body allows government procedures to be replaced with expert-driven decision-making to ensure sound economic regulation of the sector. At the same time, the independence of the regulatory authority <a href="https://www.oxfordhandbooks.com/view/10.1093/law/9780198704898.001.0001/oxfordhb-9780198704898">insulates it</a> from political processes. The third advantage of independent regulatory authorities is the scope for ‘operational flexibility’, which is embodied in the relative autonomy of its employees and its decision-making from government scrutiny.</p>
<p style="text-align: justify;">This is also the rationale provided by the Srikrishna Committee in stating their choice to entrust the administration of the data protection law to an independent DPA. The 2017 white paper that preceded the 2018 Srikrishna Committee Report proposed a distinct regulator to provide expert-driven enforcement of laws for the highly specialised data protection sphere. Secondly, the regulator would serve as a single point of contact for entities seeking guidance and will ensure consistency by issuing rules, standards, and guidelines. The Srikrishna Committee Report concretised this idea and proposed a sector-agnostic regulator that is expected to <a href="https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf">undertake</a> expertise-driven standard-setting, enforcement, and adjudication under the Bill.<sup> </sup> The PDP Bill carries forward this conception of a DPA, which is distinct from the central government.</p>
<p style="text-align: justify;">Conceptualised as such, the DPA has a completely new set of questions to contend with. Specifically, regulatory bodies require additional safeguards to overcome the legitimacy and accountability questions that <a href="https://www.oxfordhandbooks.com/view/10.1093/law/9780198704898.001.0001/oxfordhb-9780198704898">arise</a> when law-making is carried out not by elected members of the legislature, but via the unelected executive. The DPA would need to incorporate democratic decision-making processes to overcome the deficit of public participation in an expert-driven body. Thus, the meta-objective of ensuring autonomous, expertise-driven, and legitimate regulation of personal data processing necessitates that the regulator has sufficient independence from political interference, is populated with subject matter experts and competent decision-makers, and further has democratic decision-making procedures.</p>
<p>Further, the standard-setting role of the regulator does not receive sufficient attention in terms of providing distinct procedural or substantive safeguards either in the legislation or public policy guidance.</p>
<h3>Reconnaissance under the PDP Bill: How well does it guide the DPA?</h3>
<p style="text-align: justify;">At this time, the PDP Bill is the primary guidance document that defines the DPA and its overall structure. India also lacks an overarching statute or binding framework that lays down granular guidance on regulation-making by regulatory agencies.</p>
<p style="text-align: justify;">The PDP Bill, in its current iteration, sets out skeletal provisions to guide the DPA in achieving its objectives. Specifically, the Bill provides guidance limited to the following:</p>
<ol>
<li style="text-align: justify;"><em>Parliamentary scrutiny of regulations:</em> The DPA must table all its regulations before the Parliament. This is meant to accord <a href="https://www.nipfp.org.in/media/medialibrary/2018/08/WP_237_2018_0ciIwuT.pdf">legislative scrutiny</a> to binding legal standards promulgated by unelected officials.</li>
<li style="text-align: justify;"><em>Consistency with the Act:</em> All regulations should be consistent with the Act and the rules framed under it. This integrates a standard of administrative law to a limited extent within the regulation-making process. </li></ol>
<p style="text-align: justify;">However, India’s past track record <a href="https://prsindia.org/theprsblog/how-well-does-parliament-examine-rules-framed-under-various-laws">indicates</a> that regulations, once tabled before the Parliament, are rarely questioned or scrutinised. Judicial review is typically based on ‘thin’ procedural considerations such as whether the regulation is unconstitutional, arbitrary, <em>ultra vires</em>, or goes beyond the statutory obligations or jurisdiction of the regulator. In any event, judicial review is possible only when an instrument is challenged by a litigant, and, therefore, it may not always be a robust <em>ex-ante</em> check on the exercise of this power. A third challenge arises where instruments other than regulations are issued by the regulator. These could be circulars, directions, guidelines, and even FAQs, which are <a href="https://www.nipfp.org.in/media/medialibrary/2018/08/WP_237_2018_0ciIwuT.pdf">rarely bound</a> by even the minimal procedural mandate of being tabled before the Parliament. To be sure, older regulators including the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) also face similar issues, which they have attempted to address through various methods including voluntary public consultations, stakeholder meetings, and publication of minutes of meetings. These are useful tools for the DPA to consider as well.</p>
<p>Apart from these, specific guidance is provided with respect to issuing and approving codes of practice and issuing directions as follows:</p>
<ol>
<li style="text-align: justify;">Codes of practice: The DPA is required to (i) ensure transparency,<a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftn1"><sup><sup>[1]</sup></sup></a> (ii) consult with other sectoral regulators and stakeholders, and (iii) follow a procedure to be prescribed by the central government prior to the notification of codes of practice under the Bill.<a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftn2"><sup><sup>[2]</sup></sup></a></li>
<li style="text-align: justify;">Directions: The DPA may issue directions to individual, regulated entities or their classes from time to time, provided these entities have been given the opportunity to be heard by the DPA before such directions are issued.<a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftn3"><sup><sup>[3]</sup></sup></a></li></ol>
<p style="text-align: justify;">However, the meaning of transparency and the process for engaging with sectoral regulators remains unspecified under the Bill. Furthermore, the central government has been provided vast discretion to formulate these procedures, as the Bill does not specify the principles or outcomes sought to be achieved via these procedures. The Bill also does not specify instances where such directions may be issued and in which form.</p>
<p>Thus, as per its last publicly available iteration, the Bill remains silent on the following:</p>
<ul>
<li>The principles that may guide the DPA in its functioning.</li>
<li>The procedure to be followed for issuing regulations and other subordinate legislation under the Bill.</li>
<li style="text-align: justify;">The relevant regulatory instruments, other than regulations and codes of practice – such as circulars, guidelines, FAQs, etc. – that may be issued by the DPA.</li>
<li>The specifics regarding the members and employees within the DPA who are empowered to make these regulations.</li></ul>
<p style="text-align: justify;">It is unclear whether the JPC will revise the DPA’s structure or recommend statutory guidance for the DPA in executing any of its functions. This is unlikely, given that parent statutes for other regulators typically omit such guidance. As a result, the DPA may be required to make intentional and proactive choices on these matters, much like their regulatory counterparts in India. These are discussed in the section below.</p>
<h3 style="text-align: justify;">Envisaging a Proactive Role for the DPA</h3>
<p>As the primary regulatory body in charge of the enforcement of the forthcoming data protection framework, what should be the role of the DPA in setting standards for data protection?</p>
<p style="text-align: justify;">The complexity of the subject matter, and the DPA’s role as the frontline body to define day-to-day operational standards for data protection for the entire digital economy, necessitates that it develop transparent guiding principles and procedures. Furthermore, given that the DPA’s autonomy and capacity are currently unclear, the DPA will need to make deliberate choices regarding how it conducts itself. In this regard, the skeletal nature of the PDP Bill also allows the DPA to determine its own procedures to carry out its tasks effectively.</p>
<p style="text-align: justify;">This is not uncommon in India: various regulators have devised frameworks to create benchmarks for themselves. The Airports Economic Regulatory Authority (AERA) is <a href="http://aera.gov.in/aera/upload/uploadfiles/files/AERAACT.pdf">obligated</a> to follow a dedicated consultation process as per an explicit transparency mandate under the parent statute. However, the Insolvency and Bankruptcy Board of India (IBBI) has, on its own initiative, <a href="https://ibbi.gov.in/webadmin/pdf/legalframwork/2018/Oct/IBBI(Mechamism%20for%20Issuing%20Regulations)%20Regulations,%202018_2018-10-26%2011:59:43.pdf">formulated regulations</a> to guide its regulation-making functions. In other cases, consultation processes have been integrated into the respective framework through judicial intervention: the Telecom Regulatory Authority of India (TRAI) has been mandated to undertake consultations through <a href="https://clpr.org.in/wp-content/uploads/2018/10/Cellular-Operators-v.-TRAI.pdf">judicial interpretation</a> of the requirement for transparency under the Telecom Regulatory Authority of India Act, 1997 (TRAI Act).</p>
<p style="text-align: justify;">In this regard, we develop a list of considerations that the DPA should look to address while carrying out its standard-setting functions. We also draw on best practices by Indian regulators and abroad, which can help identify feasible solutions for an effective DPA for India.</p>
<p><strong>The choice of regulatory instruments</strong></p>
<p style="text-align: justify;">The DPA is empowered to issue regulations, codes of practice, and directions under the Bill. At the same time, regulators in India routinely issue other regulatory instruments to assign obligations and clarify them. Some commonly used regulatory instruments are outlined below. The terms used for instruments are not standard across regulators, and the list and description set out below outline the main concepts and not fixed labels for the instruments.</p>
<p><strong><em>Overview of regulatory instruments</em></strong><em> </em></p>
<table>
<tbody>
<tr>
<td>
<p> </p>
</td>
<td>
<p><strong>Circulars and Master Circulars</strong></p>
</td>
<td>
<p><strong>Guidelines</strong></p>
</td>
<td>
<p><strong>FAQs</strong></p>
</td>
<td>
<p><strong>Directions</strong></p>
</td>
</tr>
<tr>
<td>
<p><strong>Content</strong></p>
</td>
<td>
<p>Circulars are used to prescribe detailed obligations and prohibitions for regulated entities and can mimic regulations. Master circulars consolidate circulars on a particular topic periodically.</p>
</td>
<td>
<p>These may be administrative or substantive, depending on the practice of the regulator in question.</p>
</td>
<td>
<p>Issued in public interest by regulators to clarify the regulatory framework administered by them. They cannot prescribe new standards or create obligations.</p>
</td>
<td>
<p>Issued to provide focused instructions to individual entities or class of entities in response to an adjudicatory action or in lieu of a current challenge.</p>
</td>
</tr>
<tr>
<td>
<p><strong>Binding character</strong></p>
</td>
<td>
<p>They are generally <a href="https://indiankanoon.org/doc/1588871/">binding</a> in the <a href="https://indiankanoon.org/doc/1316639/">same manner</a> as regulations and rules. However, if they go beyond the parent Act or existing rules and regulations, they may be <a href="https://indiankanoon.org/doc/15876695/">struck down</a> following a judicial review.</p>
</td>
<td>
<p>They may or may not be binding depending upon the language employed or the regulator’s practice.</p>
</td>
<td>
<p>Unclear whether these are binding and to what extent. However, crucial clarifications on important concepts sometimes emerge from FAQs.</p>
</td>
<td>
<p>Binding in respect of the class of regulated entities to whom this is issued.</p>
</td>
</tr>
<tr>
<td>
<p><strong>Parliamentary scrutiny</strong></p>
</td>
<td colspan="4">
<p>Unlike regulations, these do not have to be laid before the Parliament.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify;">Thus, all these instruments, to varying degrees, have <a href="https://www.ncaer.org/news_details.php?nID=1399">been used</a> to create binding obligations for regulated entities. The <a href="https://www.nipfp.org.in/media/medialibrary/2018/08/WP_237_2018_0ciIwuT.pdf">choice of regulatory instrument</a> is not made systematically. Indeed, even a <a href="https://www.bis.org/bcbs/publ/d321.pdf">hierarchy of instruments</a> and their functions are not clearly set out by most regulators. The <a href="https://www.nipfp.org.in/media/medialibrary/2018/08/WP_237_2018_0ciIwuT.pdf">rationale</a> for deciding why a circular is issued as against a regulation is also unclear. A study on regulatory performance in India by Burman and Zaveri (2018) has <a href="https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf">highlighted</a> an over-reliance on instruments such as circulars. As per their study, between 2014 and 2016, RBI and SEBI issued 1,016 and 122 circulars, as against 48 and 51 regulations, respectively. These circulars are not bound by the same pre-consultative mandate nor are they mandated to be laid before the Parliament. While circulars may have been intended for routine to routinely used to lay down administrative or procedural requirements, the study narrows its frame of reference to circulars which lay down substantive regulatory requirements. In this instance, it is unclear why parliamentary scrutiny is mandated for regulations alone, and not for instruments like circulars and directions, even though they lay down similarly substantive requirements. Furthermore, there have also been<a href="https://indiacorplaw.in/2014/11/are-sebis-faqs-binding-on-partiessebi.html"> instances</a> where certain instruments like FAQs have gone beyond their advisory scope to provide new directions or definitions that were not previously shared under binding instruments like regulations or circulars.</p>
<p>The DPA has been provided specific powers to issue regulations, codes of practice, and directions. However, the rationale for issuing one instead of the other has been <a href="https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/">absent</a> from the PDP Bill so far. In such a scenario, it is important that the DPA transparently outlines the <em>types</em> of instruments it wishes to use, whether they are binding or advisory, and the procedure to be followed for issuing each.</p>
<p><strong>Pre-legislative consultative rule-making</strong></p>
<ol></ol>
<p>Participatory and consultative processes have emerged as core components of democratic rule-making by regulators. Transparent consultative mechanisms could also ameliorate capacity challenges in a new regulator (particularly for technical matters) and help enhance public confidence in the regulator.</p>
<p style="text-align: justify;">In India, several regulators have adopted consultation mechanisms even when there is no specific statutory requirement. <a href="https://www.sebi.gov.in/sebiweb/home/HomeAction.do?doListing=yes&sid=4&smid=35&ssid=38">SEBI</a> and <a href="https://ibbi.gov.in/public-comments/comments-on">IBBI</a> routinely issue discussion papers and consultation papers. The RBI also issues draft instruments <a href="https://www.rbi.org.in/Scripts/DraftNotificationsGuildelines.aspx">soliciting comments</a>. As discussed previously, TRAI and AERA have distinct transparency mandates under which they carry out consultations before issuing regulations. However, these processes are not mandated all forms of subordinate legislation. Taking cognizance of this, the Financial Sector Legislative Reform Committee (FSLRC) has <a href="https://dea.gov.in/sites/default/files/fslrc_report_vol1_1.pdf">recommended</a> transparency in the regulation-making process. This was <a href="https://dea.gov.in/sites/default/files/Handbook_GovEnhanc_fslrc_2.pdf">carried forward</a> by the Financial Stability and Development Council (FSDC), which recommended that consultation processes should be a prerequisite for all subordinate legislations, including circulars, guidelines, etc. A <a href="https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf">study</a> on regulators’ adherence to these mandates, spanning TRAI, AERA, SEBI, and RBI, demonstrated that this pre-consultation mandate is followed inconsistently, if at all. Predictable consultation practices are therefore critical.</p>
<p style="text-align: justify;">Furthermore, the study stated that it <a href="https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf">could not determine</a> whether the consultation processes yielded meaningful participation, given that regulators are not obligated to disclose how public feedback was integrated into the rule-making process. Subordinate legislations issued in the form of circulars and guidelines also do not typically undergo the same rigorous consultation processes. Thus, an ideal consultation framework would <a href="https://ec.europa.eu/info/sites/default/files/better_regulation_joining_forces_to_make_better_laws_en_0.pdf">comprise</a>:</p>
<ul>
<li style="text-align: justify;">Publication of the draft subordinate legislation along with a detailed explanation of the policy objectives. Further, the regulator should publish the internal or external studies conducted to arrive at the proposed legislation to <a href="https://legalinstruments.oecd.org/public/doc/669/51f6da97-c198-4c93-922f-1a5d80beae86.pdf">engender</a> meaningful discussion.</li>
<li>Permitting sufficient time for the public and interested stakeholders to respond to the draft.</li>
<li>Publishing all feedback received for the public to assess, and allowing them to respond to the feedback.</li></ul>
<p>However, beyond specifying the manner of conducting consultations, it will be important for the DPA to determine where they are mandatory and binding, and for which type of subordinate legislations. These are discussed in the next section.</p>
<p><strong>Choice of consultation mandates for distinct regulatory instruments</strong></p>
<ol></ol>
<p style="text-align: justify;">While the Bill provides for consultation processes for issuing and approving codes of practice, no such mechanism has been set out for other instruments. Nevertheless, specifying consultation mandates for different regulatory instruments is important to ensure that decision-making is consistent and regulation-making remains bound by transparent and accountable processes. As discussed above, regulatory instruments such as circulars and FAQs are not necessarily bound by the same consultation mandates in India. This distinction has been clarified in more sophisticated administrative law frameworks abroad. For instance, under the Administrative Procedures Act in the United States (US), all substantive rules made by regulatory agencies are <a href="https://www.reginfo.gov/public/reginfo/Regmap/regmap.pdf">bound</a> by a consultation process, which requires notice of the proposed rule-making and public feedback. This does <a href="https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf">not preclude</a> the regulatory agency from issuing clarifications, guidelines, and supplemental information on the rules issued. These documents do not require the consultation process otherwise required for formal rules. However, they cannot be used to expand the scope of the rules, set new legal standards, or have the effect of amending the rules. Nevertheless, agencies are not precluded from choosing to seek public feedback on such documents.</p>
<p style="text-align: justify;">Similarly, the Information Commissioner’s Office in the United Kingdom (UK) takes into consideration <a href="https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/">public consultations</a> and <a href="https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-on-employment-practices/">surveys</a> while issuing toolkits and guidance for regulated entities on how to comply with the data protection framework in the UK.</p>
<p style="text-align: justify;">Here, the DPA may choose to subject strictly binding instruments like regulations and codes of practice to pre-legislative consultation mandates, while softer mechanisms like FAQs may be subject to the publication of a detailed outline of the policy objective or online surveys to invite non-binding, advisory feedback. For each of these, the DPA will nonetheless need to create specific criteria by which it classifies instruments as binding and advisory, and further outline specific pre-legislative mandates for each category.</p>
<p><strong>Framework for issuing regulatory instruments and instructions</strong></p>
<ol></ol>
<p style="text-align: justify;">While the DPA is likely to issue several instruments, the system based on which these instruments will be issued is not yet clear. Without a clearly thought-out framework, different departments within the regulator <a href="https://www.nipfp.org.in/media/medialibrary/2018/08/WP_237_2018_0ciIwuT.pdf">typically issue</a> a series of directions, circulars, regulations, and other instruments. This raises questions regarding the consistency between instruments. This also requires stakeholders to go through multiple instruments to find the position of law on a given issue. Older Indian regulators are now facing challenges in adapting their ad hoc system into a framework. For example, the RBI currently issues a series of circulars and guidelines that are periodically consolidated on a subject-matter basis as Master Circulars and Master Directions. These are then updated and published on their website. IBBI also publishes <a href="https://ibbi.gov.in/uploads/publication/e42fddce80e99d28b683a7e21c81110e.pdf">handbooks</a> and <a href="https://ibbi.gov.in/publication/information-brochures">information brochures</a> that consolidate instruments in an accessible manner.</p>
<p style="text-align: justify;">While these are useful improvements, these practices cannot keep pace with rapid changes in regulatory instructions and are not complete or user-friendly (for example, the subject-matter based consolidation does not allow for filtering regulatory instructions by entity). Other jurisdictions have developed different techniques such as formal codification processes to consolidate regulations issued by government agencies under one <a href="https://www.govinfo.gov/help/cfr">unified code</a>, <a href="https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/">register</a>, or <a href="https://www.handbook.fca.org.uk/handbook">handbook</a>, websites that allow for searches based on different parameters (subject-matter, type of instrument, chronology, entity-based), and <a href="https://www.handbook.fca.org.uk/handbook-guides">guides</a> tailored to different types of entities. The DPA, as a new regulator, can learn from this experience and adopt a consistent framework right from the beginning.</p>
<p style="text-align: justify;">Further, an ethos of responsive regulation also requires the DPA to evaluate and revise directions and regulations periodically, in response to market and technology trends. A commitment to periodic evaluation of subordinate legislations entrenched in the rules is critical to reducing the dependence on officials and leadership, which may change. For instance, the <a href="https://www.ibbi.gov.in/webadmin/pdf/whatsnew/2018/Oct/Mechanism%20for%20issuing%20regulations%20October%20after%20Board%20meeting%20final_2018-10-22%2020:42:06.pdf">IBBI</a> has set out a mandatory review of regulations issued by it every three years.</p>
<p><strong>Dedicating capacity for drafting subordinate legislations</strong></p>
<ol></ol>
<p style="text-align: justify;">The DPA has been granted the discretion to appoint experts and staff its offices with the personnel it needs. A <a href="https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-risk-reports-resources.pdf">study</a> of European data protection authorities shows that by the time the General Data Protection Regulation, 2016 became effective, most of the authorities increased the number of employees with some even reporting a 240% increase. The annual spending on the authorities also went up for most countries. While these authorities do not necessarily frame subordinate legislations, they nonetheless create guidance toolkits and codes of practice as part of their supervisory functions.</p>
<p style="text-align: justify;">In this regard, the DPA will need to ensure it has dedicated capacity in-house to draft subordinate legislations. Since regulators are generally seen as enforcement authorities, there is inadequate investment in capacity-building for drafting legislations in India.</p>
<p style="text-align: justify;">Moreover, considering the multiplicity of instruments and guidance documents the DPA is expected to issue, it may seek to create templates for these instruments, along with compulsory constituents of different types of instruments. For instance, the Office of the Australian Information Commissioner is required to include a <a href="https://www.oaic.gov.au/privacy/guidance-and-advice/guidelines-for-developing-codes/">mandatory set of components</a> while issuing or approving binding industry codes of practice.</p>
<h3 style="text-align: justify;">Conclusion</h3>
<p style="text-align: justify;">The Personal Data Protection Bill, 2019 (in the final form recommended by the JPC and accepted by the MeitY) will usher in a new chapter in India’s data protection timeline. While the Bill will finally effectuate a nearly comprehensive data protection framework for India, it will also establish a new regulatory framework that sets up a new regulator, the DPA, to oversee the new data protection law. This DPA will be empowered to regulate entities across sectors and is likely to determine the success of the data protection law in India.</p>
<p style="text-align: justify;">Furthermore, the DPA must not only contend with the complexity of markets and the fast pace of technological change, but it must also address <a href="https://blog.theleapjournal.org/2018/02/a-pragmatic-approach-to-data-protection.html">anticipated</a> regulatory capacity deficits, low levels of user literacy, the number and diversity of enities within its regulatory ambit, and the need to secure individual privacy within and outside the digital realm.</p>
<p style="text-align: justify;">Thus, looking ahead, we must account for the questions of governance that the forthcoming DPA is likely to face, as these will directly impact how entities and citizens engage with the DPA. In India, regulatory agencies adopt distinct choices to fulfil their functions. Regulators have also <a href="https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf">fared variably</a> in ensuring transparent and accountable decision-making driven by demonstrable expertise. Even if the final form of the PDP Bill does not address these gaps, the DPA has the opportunity to integrate benchmarks and best practices as discussed above within its own governance framework from the get-go as it takes on its daunting responsibilities under the PDP Bill.</p>
<p style="text-align: justify;"><em>(<span id="docs-internal-guid-6bf51b9e-7fff-d2ac-d0fb-f42bcdd7f599">The authors are Research Fellow, Law, Technology and Society Initiative and Project Lead, Regulatory Governance Project respectively at the National Law School of India University, Bangalore. Views are personal.)</span></em></p>
<em>
</em>
<p style="text-align: justify;"><span id="docs-internal-guid-6bf51b9e-7fff-d2ac-d0fb-f42bcdd7f599"><em>This post was reviewed by Vipul Kharbanda and Shweta Mohandas</em><br /></span></p>
<h3 style="text-align: justify;">References</h3>
<ul>
<li style="text-align: justify;">For a discussion on distinct regulatory choices, please see TV Somanathan, <em>The Administrative and Regulatory State</em> in Sujit Choudhary, Madhav Khosla, et al. (eds), <a href="https://www.oxfordhandbooks.com/view/10.1093/law/9780198704898.001.0001/oxfordhb-9780198704898">Oxford Handbook of the Indian Constitution</a> (2016).</li>
<li style="text-align: justify;">On best practices for consultative law-making, see generally <em>European Union Better Regulation </em><a href="https://ec.europa.eu/info/sites/default/files/better_regulation_joining_forces_to_make_better_laws_en_0.pdf"><em>Communication</em></a>, <em>Guidelines for Effective Regulatory Consultations </em>(<a href="https://www.tbs-sct.gc.ca/rtrap-parfa/erc-cer/erc-cer-eng.pdf">Canada</a>), and<em> </em><a href="https://read.oecd-ilibrary.org/governance/the-governance-of-regulators_9789264209015-en#page81"><em>OECD</em></a><em> </em><em>Best Practice Principles for Regulatory Policy: The Governance of Regulators</em>,<em> 2014.</em></li></ul>
<hr align="left" size="1" width="33%" />
<p><a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftnref1"><sup><sup>[1]</sup></sup></a> Personal Data Protection Bill 2019, § 50(3).</p>
<p><a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftnref2"><sup><sup>[2]</sup></sup></a> Personal Data Protection Bill 2019, § 50(4).</p>
<p><a href="file:///C:/Users/Admin/AppData/Local/Temp/211105_Governance%20Choices%20for%20the%20DPA%20(1).docx#_ftnref3"><sup><sup>[3]</sup></sup></a> Personal Data Protection Bill 2019, § 51.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/trishi-jindal-and-s-vivek-beyond-the-pdp-bill'>http://editors.cis-india.org/internet-governance/blog/trishi-jindal-and-s-vivek-beyond-the-pdp-bill</a>
</p>
No publisherTrishi Jindal and S.VivekInternet GovernanceData ProtectionPrivacy2021-11-10T07:32:33ZBlog EntryComments on the Statistical Disclosure Control Report
http://editors.cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.
</b>
<p><strong id="docs-internal-guid-a12fe2b3-c746-4c1a-0287-1814414668af"><br /></strong></p>
<h3 style="text-align: justify;" dir="ltr">1. PRELIMINARY</h3>
<p style="text-align: justify;" dir="ltr">This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.</p>
<p style="text-align: justify;" dir="ltr">CIS is thankful for the opportunity to put forth its views.<br class="kix-line-break" />This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h3 style="text-align: justify;" dir="ltr">2. ABOUT CIS</h3>
<p style="text-align: justify;" dir="ltr">CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.<br class="kix-line-break" /><br /></p>
<p style="text-align: justify;" dir="ltr">CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.</p>
<h3 style="text-align: justify;" dir="ltr">3. Comments</h3>
<h4 style="text-align: justify;" dir="ltr">3.1 General Comments</h4>
<p style="text-align: justify;" dir="ltr">As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.</p>
<p><span style="text-align: justify;">We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. </span><span style="text-align: justify;">While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. </span><span style="text-align: justify;">Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. </span><span style="text-align: justify;">At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.</span></p>
<h4 style="text-align: justify;" dir="ltr">3.2 Integrity of Information and Data</h4>
<p style="text-align: justify;" dir="ltr">We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.</p>
<h4 style="text-align: justify;" dir="ltr">3.3 Data Security</h4>
<p style="text-align: justify;" dir="ltr">One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.</p>
<p style="text-align: justify;" dir="ltr">We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.</p>
<h4 style="text-align: justify;" dir="ltr">3.4 Anonymization of microdata</h4>
<p style="text-align: justify;" dir="ltr">We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.</p>
<h4 style="text-align: justify;" dir="ltr">3.5 Data Dissemination</h4>
<p style="text-align: justify;" dir="ltr">Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.</p>
<p style="text-align: justify;" dir="ltr">We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,</p>
<p style="text-align: justify;" dir="ltr">The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Thank you for this opportunity and we look forward to work with you in future.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report'>http://editors.cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report</a>
</p>
No publisherSrinivs Kodali and Amber SinhaCall for CommentsDigital AccessOpen DataOpen Government DataData ProtectionData GovernanceAadhaarDigitisationInformation SecurityOpennessInternet GovernanceData Management2019-03-13T00:28:44ZBlog EntryThe Wolf in Sheep's Clothing: Demanding your Data
http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data
<b>The increasing digitalization of the economy and ubiquity of the Internet, coupled with developments in Artificial Intelligence (AI) and Machine Learning (ML) has given rise to transformational business models across several sectors.</b>
<p> </p>
<p>This piece was originally published in <a class="external-link" href="https://telecom.economictimes.indiatimes.com/tele-talk/the-wolf-in-sheep-s-clothing-demanding-your-data/4497">The Economic Times Telecom</a>, on 8 September, 2020.<span class="css-901oao css-16my406 r-1qd0xha r-ad9z0x r-bcqeeo r-qvutc0"></span></p>
<p>The increasing digitalization of the economy and ubiquity of the <a href="https://telecom.economictimes.indiatimes.com/tag/internet">Internet</a>, coupled with developments in <a href="https://telecom.economictimes.indiatimes.com/tag/artificial+intelligence">Artificial Intelligence</a>
(AI) and Machine Learning (ML) has given rise to transformational
business models across several sectors. These developments have changed
the very structure of existing sectors, with a few dominant firms
straddling across many sectors. The position of these firms is
entrenched due to the large amounts of data they have, and usage of
sophisticated algorithms that deliver very targeted service/content and
their global nature.<br /><br /></p>
<p>Such data based network businesses
are generally multi-sided platforms subject to network effects and
winner takes all phenomena, often, making traditional competition
regulation inappropriate. In addition, there has been concern that such
companies hurt competition as they are owners of large amounts of data
collected globally, the very basis on which new services are predicated.
Also since users have an inertia to share their data on multiple
platforms, new companies find it very challenging to emerge. Several of
the large companies are of US origin. Several regions/countries such as
EU, UK, India are concerned that while these companies benefit from the
data of their citizens or their <a href="https://telecom.economictimes.indiatimes.com/tag/devices">devices</a>,
SMEs and other companies in their own countries find it increasingly
difficult to remain viable or achieve scale. With the objective of
supporting enterprises, including SMEs in their own countries, Europe,
UK India are in different stages of data regulation initiatives.<br /><br /></p>
<p>In India, the <a href="https://telecom.economictimes.indiatimes.com/tag/personal+data+protection">Personal Data Protection</a>
(PDP) Bill, 2019 deals with the framework for collecting, managing and
transferring of Personal Data of Indian citizens, including mandating
sharing of anonymized data of individuals and non-personal data for
better targeting of services or policy making. In addition, the Report
by the Committee of Experts (CoE) on Non Personal Data (NPD) came up
with a Framework for Regulating NPD. Since the NPD Report is a more
recent phenomenon, this articles analyzes some aspects of it.<br /><br /></p>
<p>According
to CoE, non-personal data could be of two types. First, data or
information which was never about an individual (e.g. weather data).
Second, data or information that once was related to an individual (e.g.
mobile number) but has now ceased to be identifiable due to the removal
of certain identifiers through the process of ‘anonymisation’. However,
it may be possible to recover the personal data from such anonymized
data and therefore, the distinction between personal and non-personal is
not clean. In any case, the PDP bill 2019 deals with personal data. If
the CoE felt that some aspect of personal data (including anonymized
data) were not adequately dealt with, it should work to strengthen it.
The current approach of the CoE is bound to create confusion and
overlapping jurisdiction. Since anonymized data is required to be
shared, there are disincentives to anonymization, causing greater risk
to individual privacy.<br /><br /></p>
<p>A new class of business based on a “<em>horizontal classification cutting across different industry sectors</em>” is defined. This refers to any business that derives “<em>new or additional economic value from data, by collecting, storing, processing, and managing data</em>”
based on a certain threshold of data collected/processed that will be
defined by the regulatory authority that is outlined in the report. The
CoE also recommends that “<em>Data Businesses will provide, within India, open access to meta-data and regulated access to the underlying data</em>” without any remuneration. Further, “<em>By
looking at the meta-data, potential users may identify opportunities
for combining data from multiple Data Businesses and/or governments to
develop innovative solutions, products and services. Subsequently, data
requests may be made for the detailed underlying data</em>”.<br /><br /></p>
<p>With
increasing digitalization, today almost every business is a data
business. The problem in such categorization will be with the definition
of thresholds. It is likely that even a small video sharing app or an
AR/VR app would store/collect/process/transmit more data than say a
mid-sized bank in terms of data volumes. Further, with increasing
embedding of <a href="https://telecom.economictimes.indiatimes.com/tag/iot">IoT</a>
in various aspects of our lives and businesses (smart manufacturing,
logistics, banking etc), the amount of data that is captured by even
small entities can be huge.<br /><br /></p>
<p>The private sector, driven by
profitability, identifies innovative business models, risks capital and
finds unique ways of capturing and melding different data sets. In
order to sustain economic growth, such innovation is necessary. The
private sector would also like legal protection over these aspects of
its businesses, including the unique IPR that may be embedded in the
processing of data or its business processes. But mandating such onerous
requirements on sharing by the CoE is going to kill any private
initiative. Any regulatory regime must balance between the need to
provide a secure environment for protecting data of incumbents and
making it available to SMEs/businesses.<br /><br /></p>
<p>Meta data
provides insights to the company’s databases and processes. These are
source of competitive advantage for any company. Meta data is not
without a context. The basis of demanding such disclosure is mandated
with the proposed NPD Regulator who would evaluate such a purpose. In
practice, purposes are open to interpretation and the structure of
appeal mechanism etc is going to stall any such sharing. Would such
mandates of sharing not interfere with the existing Intellectual
Property Rights? Or the freedom to contract? Any innovation could easily
be made available to a competitor that front-ends itself with a
start-up. To mandate making such data available would not be fair.
Further, how would the NPD regulator even ensure that such data is used
for the purpose (which the proposed regulator is supposed to evaluate)
that it is sought for? In Europe, where such <a href="https://telecom.economictimes.indiatimes.com/tag/data+sharing">data sharing</a>
mandates are being considered, the focus is on public data. For private
entities, the sharing is largely based on voluntary contributions.
Compulsory sharing is mandated only under restricted situations where
market failure situations are not addressed through Competition Act and
provided legitimate interest of the data holder and existing legal
provisions are taken into account.<br /><br /></p>
<p>Further, the
compliance requirements for such Data Businesses is very onerous and
makes a mockery of “minimum government” framework of the government. The
CoE recommends that all Data Businesses, whether government NGO, or
private “<em>to disclose data elements collected, stored and processed, and data-based services offered</em>”. As if this was not enough, the CoE further recommends that “<em>Every
Data Business must declare what they do and what data they collect,
process and use, in which manner, and for what purposes (like disclosure
of data elements collected, where data is stored, standards adopted to
store and secure data, nature of data processing and data services
provided). This is similar to disclosures required by pharma industry
and in food products</em>”. Such disclosures are necessary in these
industries as the companies in this sector deal with critical aspects of
human life. But are such requirements necessary for all activities and
businesses? As long as organizations collect and process data, in a
legal manner, within the sectoral regulation, why should such
information have to be “reported”? Further, such bureaucratic processes
and reporting requirements are only going to be a burden to existing
legitimate businesses and give rise to a thriving regulatory license
raj.<br /><br /></p>
<p>Further questions that arise are: How is any
compliance agency going to make sure that all the underlying metadata is
made available in a timely manner? As companies respond to a dynamic
environment, their analysis and analytical tools change and so does the
metadata. This inherent aspect of businesses raises the question: At
what point in time should companies make their meta-data available? How
will the compliance be monitored?<br /><br /></p>
<p>Conclusion: The CoE
needs to create an enabling and facilitating an environment for data
sharing. The incentives for different types of entities to participate
and contribute must be recognized. Adequate provisions for risks and
liabilities arising out data sharing need to be thought through.
National initiatives on data sharing should not create an onerous
reporting regime, as envisaged by the CoE, even if digital.<br /><br /></p>
<p class="article-disclaimer"><em>DISCLAIMER:
The views expressed are solely of the author and ETTelecom.com does not
necessarily subscribe to it. ETTelecom.com shall not be responsible for
any damage caused to any person/organisation directly or indirectly.</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data'>http://editors.cis-india.org/internet-governance/blog/the-wolf-in-sheeps-clothing-demanding-your-data</a>
</p>
No publisherRekha JainInternet GovernanceData ProtectionArtificial Intelligence2020-11-10T17:44:13ZBlog EntryThe PDP Bill 2019 Through the Lens of Privacy by Design
http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design
<b>This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation. </b>
<h2>Background</h2>
<div> </div>
<p>The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same <a class="external-link" href="https://www.prsindia.org/billtrack/personal-data-protection-bill-2019">[1]</a>. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">[2]</a>. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">[3]</a>. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product <a class="external-link" href="https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/">[4]</a>. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.</p>
<p><br />The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal <a class="external-link" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf">[5]</a>. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website <a class="external-link" href="https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft">[6]</a>. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.</p>
<p><br />This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do<a class="external-link" href="https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c"> [7]</a>. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.</p>
<p> </p>
<p>The full paper can be read <a href="http://editors.cis-india.org/internet-governance/the-pdp-bill-2019-through-the-lens-of-privacy-by-design/at_download/file" class="external-link">here</a>.</p>
<p>[1] <a class="external-link" href="https://www.prsindia.org/billtrack/personal-data-protection-bill-2019">https://prsindia.org/billtrack/personal-data-protection-bill-2019</a> </p>
<p>[2] <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf</a></p>
<p>[3] <a class="external-link" href="https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf">https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf</a></p>
<p>[4] <a class="external-link" href="https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/">https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/</a></p>
<p>[5] <a class="external-link" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf">http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf</a></p>
<p>[6] <a class="external-link" href="https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft">https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft</a></p>
<p>[7] <a class="external-link" href="https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c">https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design'>http://editors.cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design</a>
</p>
No publisherSaumyaa Naidu, Akash Sheshadri, Shweta Mohandas, and Pranav M Bidare; Edited by Arindrajit Basu, Shweta Reddy; With inputs from Amber SinhaDesignInternet GovernanceData ProtectionPrivacy2020-11-13T07:51:03ZBlog Entry Comments to the Personal Data Protection Bill 2019
http://editors.cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019
<b>The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019. </b>
<p> </p>
<h4>Please view our general comments below, or download as PDF <a href="http://editors.cis-india.org/accessibility/blog/cis-general-comments-to-the-pdp-bill-2019" class="internal-link" title="CIS' General Comments to the PDP Bill 2019">here</a>.</h4>
<h4>Our comments and recommendations can be downloaded as PDF <a href="http://editors.cis-india.org/accessibility/blog/cis-comments-pdp-bill-2019" class="internal-link" title="CIS Comments PDP Bill 2019">here</a>.</h4>
<h4>We have also prepared an annotated version of the Bill, where our detailed comments and recommendations can be viewed alongside the Bill, available as PDF <a href="http://editors.cis-india.org/accessibility/blog/annotated-ver-pdp-bill-2019" class="internal-link" title="Annotated ver PDP Bill 2019">here</a>.</h4>
<hr />
<h2>General Comments</h2>
<h3>1. Executive notification cannot abrogate fundamental rights <br /></h3>
<p>In 2017, the Supreme Court in K.S. Puttaswamy v Union of India [1] held the right to privacy to be a fundamental right. While this right is subject to reasonable restrictions, the restrictions have to meet a three fold requirement, namely (i) existence of a law; (ii) legitimate state aim; (iii) proportionality.Under the 2018 Bill, the exemption to government agencies for processing of personal data from the provisions of the Bill in the ‘interest of the security of the State’ [2] was subject to a law being passed by Parliament. However, under Clause 35 of the present Bill, the Central Government is merely required to pass a written order exempting the government agency from the provisions of the Bill.Any restriction on the right to privacy will have to comply with the conditions prescribed in Puttaswamy I. An executive order issued by the central government authorising any agency of the government to process personal data does not satisfy the first requirement laid down by the Supreme Court in Puttaswamy I — as it is not a law passed by Parliament. The Supreme Court while deciding upon the validity of Aadhar in K.S. Puttaswamy v Union of India [3] noted that “an executive notification does not satisfy the requirement of a valid law contemplated under Puttaswamy. A valid law in this case would mean a law passed by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right cannot be sustained by an executive notification.”</p>
<p> </p>
<h3>2. Exemptions under Clause 35 do not comply with the legitimacy and proportionality test</h3>
<p>The lead judgement in Puttaswamy I while formulating the three fold test held that the restraint on privacy emanate from the procedural and content based mandate of Article 21 [4]. The Supreme Court in Maneka Gandhi v Union India [5] had clearly established that “mere prescription of some kind of procedure cannot ever meet the mandate of Article 21. The procedure prescribed by law has to be fair, just and reasonable, not fanciful, oppressive and arbitrary” [6]. The existence of a law is the first requirement; the second requirement is that of ‘legitimate state aim’. As per the lead judgement this requirement ensures that “the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action” [7]. It is established that for a provision which confers upon the executive or administrative authority discretionary powers to be regarded as non-arbitrary, the provision should lay down clear and specific guidelines for the executive to exercise the power [8]. The third test to be complied with is that the restriction should be ‘proportionate,’ i.e. the means that are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law. The Supreme Court in Modern Dental College & Research Centre v State of Madhya Pradesh [9] specified the components of proportionality standards —</p>
<ol><li>A measure restricting a right must have a legitimate goal;</li>
<li>It must be a suitable means of furthering this goal;</li>
<li>There must not be any less restrictive, but equally effective alternative; and</li>
<li>The measure must not have any disproportionate impact on the right holder</li></ol>
<p>Clause 35 provides extensive grounds for the Central Government to exempt any agency from the requirements of the bill but does not specify the procedure to be followed by the agency while processing personal data under this provision. It merely states that the ‘procedure, safeguards and oversight mechanism to be followed’ will be prescribed in the rules.The wide powers conferred on the central government without clearly specifying the procedure may be contrary to the three fold test laid down in Puttaswamy I, as it is difficult to ascertain whether a legitimate or proportionate objective is being fulfilled [10].</p>
<p> </p>
<h3>3. Limited powers of Data Protection Authority in comparison with the Central Government</h3>
<p>In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example:</p>
<ol><li>In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so.</li>
<li>Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.</li></ol>
<p>In order to govern data protection effectively, there is a need for a responsive market regulator with a strong mandate and resources. The political nature of the personal data also requires that the governance of data, particularly the rule-making and adjudicatory functions performed by the Authority are independent of the Executive.</p>
<p> </p>
<h3>4. No clarity on data sandbox</h3>
<p>The Bill contemplates a sandbox for “ innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” A Data Sandbox is a non-operational environment where the analyst can model and manipulate data inside the data management system. Data sandboxes have been envisioned as a secure area where only a copy of the company’s or participant companies’ data is located [11]. In essence, it refers to the scalable and creation platform which can be used to explore an enterprise’s information sets. On the other hand, regulatory sandboxes are controlled environments where firms can introduce innovations to a limited customer base within a relaxed regulatory framework, after which they may be allowed entry into the larger market after meeting certain conditions. This purportedly encourages innovation through the lowering of entry barriers by protecting newer entrants from unnecessary and burdensome regulation. Regulatory sandboxes can be interpreted as a form of responsive regulation by governments that seek to encourage innovation – they allow selected companies to experiment with solutions within an environment that is relatively free of most of the cumbersome regulations that they would ordinarily be subject to, while still subject to some appropriate safeguards and regulatory requirements. Sandboxes are regulatory tools which may be used to permit companies to innovate in the absence of heavy regulatory burdens. However, these ordinarily refer to burdens related to high barriers to entry (such as capital requirements for financial and banking companies), or regulatory costs. In this Bill, however, the relaxing of data protection provisions for data fiduciaries would lead to restrictions of the privacy of individuals. Limitations to a fundamental rights on grounds of ‘fostering innovation’ is not a constitutional tenable position, and contradict the primary objectives of a data protection law.</p>
<p> </p>
<h3>5. The primacy of ‘harm’ in the Bill ought to be reconsidered</h3>
<p>While a harms based approach is necessary for data protection frameworks, such approaches should be restricted to the positive obligations, penal provisions and responsive regulation of the Authority. The Bill does not provide any guidance on either the interpretation of the term ‘harm,’ [12] or on the various activities covered within the definition of the term. Terms such as ‘loss of reputation or humiliation’ ‘any discriminatory treatment’ are a subjective standard and are open to varied interpretations. This ambiguity in the definition will make it difficult for the data principal to demonstrate harm and for the DPA to take necessary action as several provisions are based upon harm being caused or likely to be caused.Some of the significant provisions where ‘harm’ is a precondition for the provision to come into effect are —</p>
<ol><li>Clause 25: Data Fiduciary is required to notify the Authority about the breach of personal data processed by the data fiduciary, if such breach is likely to cause harm to any data principal. The Authority after taking into account the severity of the harm that may be caused to the data principal will determine whether the data principal should be notified about the breach.</li>
<li>Clause 32 (2): A data principal can file a complaint with the data fiduciary for a contravention of any of the provisions of the Act, which has caused or is likely to cause ‘harm’ to the data principal.</li><li>Clause 64 (1): A data principal who has suffered harm as a result of any violation of the provision of the Act by a data fiduciary, has the right to seek compensation from the data fiduciary.</li></ol>
<p>Clause 16 (5): The guardian data fiduciary is barred from profiling, tracking or undertaking targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.</p>
<p> </p>
<h3>6. Non personal data should be outside the scope of this Bill</h3>
<p>Clause 91 (1) states that the Act does not prevent the Central Government from framing a policy for the digital economy, in so far as such policy does not govern personal data. The Central Government can, in consultation with the Authority, direct any data fiduciary to provide any anonymised personal data or other non-personal data to enable better targeting of delivery of services or formulation of evidence based policies in any manner as may be prescribed.It is concerning that the data protection bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymized and/or non-personal data that rests with any data fiduciary that falls under the ambit of the bill to support the digital economy including for its growth, security, integrity, and prevention of misuse. It is unclear how the government, in practice, will be able to compel organizations to share this data. Further, there is a lack of clarity on the contours of the definition of non-personal data and the Bill does not define the term. It is also unclear whether the Central Government can compel the data fiduciary to transfer/share all forms of non-personal data and the rights and obligations of the data fiduciaries and data principals over such forms of data. Anonymised data refers to data which has ‘ irreversibly’ been converted into a form in which the data principal cannot be identified. However, as several instances have shown ‘ irreversible’ anonymisation is not possible. In the United States, the home addresses of taxi drivers were uncovered and in Australia individual health records were mined from anonymised medical bills [13]. In September 2019, the Ministry of Electronics and Information Technology, constituted an expert committee under the chairmanship of Kris Gopalkrishnan to study various issues relating to non-personal data and to deliberate over a data governance framework for the regulation of such data.The provision should be deleted and the scope of the bill should be limited to protection of personal data and to provide a framework for the protection of individual privacy. Until the report of the expert committee is published, the Central Government should not frame any law/regulation on the access and monetisation of non-personal/ anonymised data nor can they create a blanket provision allowing them to request such data from any data fiduciary that falls within the ambit of the bill. If the government wishes to use data resting with a data fiduciary; it must do so on a case to case basis and under formal and legal agreements with each data fiduciary.</p>
<p> </p>
<h3>7. Steps towards greater decentralisation of power</h3>
<p>We propose the following steps towards greater decentralisation of powers and devolved jurisdiction —</p>
<ol><li>Creation of State Data Protection Authorities: A single centralised body may not be the appropriate form of such a regulator. We propose that on the lines of central and state commissions under the Right to Information Act, 2005, state data protection authorities are set up which are in a position to respond to local complaints and exercise jurisdiction over entities within their territorial jurisdictions.</li>
<li>More involvement of industry bodies and civil society actors: In order to lessen the burden on the data protection authorities it is necessary that there is active engagement with industry bodies, sectoral regulators and civil society bodies engaged in privacy research. Currently, the Bill provides for involvement of industry or trade association, association representing the interests of data principals, sectoral regulator or statutory Authority, or an departments or ministries of the Central or State Government in the formulation of codes of practice. However, it would be useful to also have a more active participation of industry associations and civil society bodies in activities such as promoting awareness among data fiduciaries of their obligations under this Act, promoting measures and undertaking research for innovation in the field of protection of personal data.</li></ol>
<p> </p>
<h3>8. The Authority must be empowered to exercise responsive regulation</h3>
<p>In a country like India, the challenge is to move rapidly from a state of little or no data protection law, and consequently an abysmal state of data privacy practices to a strong data protection regulation and a powerful regulator capable of enabling a state of robust data privacy practices. This requires a system of supportive mechanisms to the stakeholders in the data ecosystem, as well as systemic measures which enable the proactive detection of breaches. Further, keeping in mind the limited regulatory capacity in India, there is a need for the Authority to make use of different kinds of inexpensive and innovative strategies.We recommend the following additional powers for the Authority to be clearly spelt out in the Bill —</p>
<ol><li>Informal Guidance: It would be useful for the Authority to set up a mechanism on the lines of the Security and Exchange Board of India (SEBI)’s Informal Guidance Scheme, which enables regulated entities to approach the Authority for non-binding advice on the position of law. Given that this is the first omnibus data protection law in India, and there is very little jurisprudence on the subject from India, it would be extremely useful for regulated entities to get guidance from the regulator.</li>
<li>Power to name and shame: When a DPA makes public the names of organisations that have seriously contravened data protection legislation, this is a practice known as “naming and shaming.” The UK ICO and other DPAs recognise the power of publicity, as evidenced by their willingness to co-operate with the media. The ICO does not simply post monetary penalty notices (MPNs or fines) on its websites for journalists to find, but frequently issues press releases, briefs journalists and uses social media. The ICO’s publicity statement on communicating enforcement activities states that the “ICO aims to get media coverage for enforcement activities.”</li>
<li>Undertakings: The UK ICO has also leveraged the threats of fines into an alternative enforcement mechanism seeking contractual undertakings from data controllers to take certain remedial steps. Undertakings have significant advantages for the regulator. Since an undertaking is a more “co-operative”solution, it is less likely that a data controller will change it. An undertaking is simpler and easier to put in place. Furthermore, the Authority can put an undertaking in place quickly as opposed to legal proceedings which are longer.</li></ol>
<p> </p>
<h3>9. No clear roadmap for the implementation of the Bill</h3>
<p>The 2018 Bill had specified a roadmap for the different provisions of the Bill to come into effect from the date of the Act being notified [14]. It specifically stated the time period within which the Authority had to be established and the subsequent rules and regulations notified.The present Bill does not specify any such blueprint; it does not provide any details on either when the Bill will be notified or the time period within within which the Authority shall be established and specific rules and regulations notified. Considering that 25 provisions have been deferred to rules that have to be framed by the Central Government and a further 19 provisions have been deferred to the regulations to be notified by the Authority the absence and/or delayed notification of such rules and regulations will impact the effective functioning of the Bill.The absence of any sunrise or sunset provision may disincentivise political or industrial will to support or enforce the provisions of the Bill. An example of such a lack of political will was the establishment of the Cyber Appellate Tribunal. The tribunal was established in 2006 to redress cyber fraud. However, it was virtually a defunct body from 2011 onwards when the last chairperson retired. It was eventually merged with the Telecom Dispute Settlement and Appellate Tribunal in 2017.We recommend that Bill clearly lays out a time period for the implementation of the different provisions of the Bill, especially a time frame for the establishment of the Authority. This is important to give full and effective effect to the right of privacy of the <br />individual. It is also important to ensure that individuals have an effective mechanism to enforce the right and seek recourse in case of any breach of obligations by the data fiduciaries.For offences, we suggest a system of mail boxing where provisions and punishments are enforced in a staggered manner, for a period till the fiduciaries are aligned with the provisions of the Act. The Authority must ensure that data principals and fiduciaries have sufficient awareness of the provisions of this Bill before bringing the provisions for punishment are brought into force. This will allow the data fiduciaries to align their practices with the provisions of this new legislation and the Authority will also have time to define and determine certain provisions that the Bill has left the Authority to define. Additionally enforcing penalties for offences initially must be in a staggered process, combined with provisions such as warnings, in order to allow first time and mistaken offenders from paying a high price. This will relieve the fear of smaller companies and startups who might fear processing data for the fear of paying penalties for offences.</p>
<p> </p>
<h3>10. Lack of interoperability</h3>
<p>In its current form, a number of the provisions in the Bill will make it difficult for India’s framework to be interoperable with other frameworks globally and in the region. For example, differences between the draft Bill and the GDPR can be found in the grounds for processing, data localization frameworks, the framework for cross border transfers, definitions of sensitive personal data, inclusion of the undefined category of ‘critical data’, and the roles of the authority and the central government.</p>
<p> </p>
<h3>11. Legal Uncertainty</h3>
<p>In its current structure, there are a number of provisions in the Bill that, when implemented, run the risk of creating an environment of legal uncertainty. These include: lack of definition of critical data, lack of clarity in the interpretation of the terms ‘harm’ and ‘significant harm’, ability of the government to define further categories of sensitive personal data, inclusion of requirements for ‘social media intermediaries’, inclusion of ‘non-personal data’, framing of the requirements for data transfers, bar on processing of certain forms of biometric data as defined by the Central Government, the functioning between a consent manager and another data fiduciary, the inclusion of an AI sandbox and the definition of state. To ensure the greatest amount of protection of individual privacy rights and the protection of personal data while also enabling innovation, it is important that any data protection framework is structured and drafted in a way to provide as much legal certainty as possible.</p>
<p> </p>
<h3>Endnotes</h3>
<p>1. (2017) 10 SCC 641 (“Puttaswamy I”).</p>
<p>2. Clause 42(1) of the 2018 Bill states that “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to such interests being achieved.”</p>
<p>3. (2019) 1 SCC 1 (“Puttaswamy II”)</p>
<p>4. Puttaswamy I, supra, para 180.</p>
<p>5. (1978) 1 SCC 248.</p>
<p>6. Ibid para 48.</p>
<p>7. Puttaswamy I supra para 180.</p>
<p>8. State of W.B. v. Anwar Ali Sarkar, 1952 SCR 284; Satwant Singh Sawhney v A.P.O AIR 1967 SC1836.</p>
<p>9. (2016)7 SCC 353.</p>
<p>10. Dvara Research “Initial Comments of Dvara Research dated 16 January 2020 on the Personal Data Protection Bill, 2019 introduced in Lok Sabha on 11 December 2019”, January 2020, https://www.dvara.com/blog/2020/01/17/our-initial-comments-on-the-personal-data-protection-bill-2019/ (“Dvara Research”).</p>
<p>11. “A Data Sandbox for Your Company”, Terrific Data, last accessed on January 31, 2019, http://terrificdata.com/2016/12/02/3221/.</p>
<p>12. Clause 3(20) — “harm” includes (i) bodily or mental injury; (ii) loss, distortion or theft of identity; (ii) financial loss or loss of property; (iv) loss of reputation or humiliation; (v) loss of employment; (vi) any discriminatory treatment; (vii) any subjection to blackmail or extortion; (viii) any denial or withdrawal of service,benefit or good resulting from an evaluative decision about the data principal; (ix) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or (x) any observation or surveillance that is not reasonably expected by the data principal.</p>
<p>13. Alex Hern “Anonymised data can never be totally anonymous, says study”, July 23, 2019 https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds.</p>
<p>14. Clause 97 of the 2018 Bill states“(1) For the purposes of this Chapter, the term ‘notified date’ refers to the date notified by the Central Government under sub-section (3) of section 1. (2)The notified date shall be any date within twelve months from the date of enactment of this Act. (3)The following provisions shall come into force on the notified date-(a) Chapter X; (b) Section 107; and (c) Section 108. (4)The Central Government shall, no later than three months from the notified date establish the Authority. (5)The Authority shall, no later than twelve months from the notified date notify the grounds of processing of personal data in respect of the activities listed in sub-section (2) of section 17. (6)The Authority shall no, later than twelve months from the date notified date issue codes of practice on the following matters-(a) notice under section 8; (b) data quality under section 9; (c) storage limitation under section 10; (d) processing of personal data under Chapter III; (e) processing of sensitive personal data under Chapter IV; (f ) security safeguards under section 31; (g) research purposes under section 45; (h) exercise of data principal rights under Chapter VI; (i) methods of de-identification and anonymisation; (j) transparency and accountability measures under Chapter VII. (7)Section 40 shall come into force on such date as is notified by the Central Government for the purpose of that section.(8)The remaining provision of the Act shall come into force eighteen months from the notified date.”</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019'>http://editors.cis-india.org/internet-governance/blog/comments-to-the-personal-data-protection-bill-2019</a>
</p>
No publisherAmber Sinha, Elonnai Hickok, Pallavi Bedi, Shweta Mohandas, Tanaya RajwadeInternet GovernanceData ProtectionPrivacy2020-02-21T10:13:35ZBlog Entry