The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 41 to 46.
Amutha Arunachalam - Stand Shielded of Digital Rights (Delhi, May 05, 4 pm)
http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05
<b>We are proud to announce that Amutha Arunachalam will be the speaker at the May #FirstFriday event at the CIS Delhi office. Amutha is Principal Technical Officer in the Council Of Scientific and Industrial Research. The talk will be on digital signatures, traceability of time-stamps, and setting up an Indian Standard (Digital) Time. If you are joining us, please RSVP at the soonest as we have only limited space in our office.</b>
<p> </p>
<h3><strong>Amutha Arunachalam</strong></h3>
<h4>Principal Technical Officer, Council of Scientific and Industrial Research</h4>
<p> </p>
<p><img src="http://editors.cis-india.org/internet-governance/files/amutha-arunachalam/image" alt="Amutha Arunachalam" class="image-inline" title="Amutha Arunachalam" /></p>
<p> </p>
<p>Amutha Arunachalam entered the Indian Government service as an Intelligence Officer in Ministry of Home Affairs in 1988 after working at the Indian Institute of Technology Madras in Fibre Optic communication Laboratory. She later moved to the Council of Scientific and Industrial Research in the field of Information Technology. She managed the IT infrastructure of the CSIR lab (Central Road Research Institute) till 2006 and moved to CSIR Head Quarters and contributed in the ICT refurbishment drive, mainly in the IT with a major contribution in establishing DATA Centre, implementing network security, linking CSIR HQ to the National Knowledge Network facility extended by National Information Centre(NIC) before joining UIDAI.</p>
<p>In UIDAI (National Identity Project) she managed the Data Center operations that includes critical CIDR (Central Identification Repository) and was responsible for setting up Infrastructure to roll out Disaster recovery centre, Aadhaar Enrolment Service, Benchmarking of UIDAI Enrolment , Authentication Applications and setting up of Backend infrastructure of the Authentication Service for Roll out to citizens. After the five year Deputation at UIDAI (Feb 2016), she is currently posted in the Council of Scientific and Industrial Research working in the Area of Policy in Cyber Security for CSIR, Enhancing Research with collaborative, networking and Building unified CSIR Ecosystem with Enterprise platform.</p>
<p> </p>
<h3><strong>RSVP</strong></h3>
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLSfWGNDezfJOi3UU7GpAWkrKn0uOMlCsV2P_6QEHqPWCb6JSqA/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="666" width="600">Loading...</iframe>
<p> </p>
<h3><strong>Location</strong></h3>
<iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d876.157470894426!2d77.20553462919722!3d28.550842498903158!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0x834072df81ffcb39!2sCentre+for+Internet+and+Society!5e0!3m2!1sen!2sin!4v1493818109951" frameborder="0" height="450" width="600"></iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05'>http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05</a>
</p>
No publishersumandroCybersecurityInternet GovernanceDigital India#FirstFridayAtCISE-Governance2017-05-03T13:30:32ZEventAadhaar Bill 2016 Evaluated against the National Privacy Principles
http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles
<b>In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png" alt="Aadhaar Bill 2016 Evaluated against the National Privacy Principles" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles'>http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:38:34ZBlog EntryAadhaar Act and its Non-compliance with Data Protection Law in India
http://editors.cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
<b>This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</b>
<p> </p>
<h4>Download the file: <a href="http://editors.cis-india.org/internet-governance/blog/aadhaar-act-43a-it-rules" class="internal-link">PDF</a>.</h4>
<hr />
<p style="text-align: justify;">Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha <a name="_ftnref1"></a> . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.</p>
<p style="text-align: justify;">In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("<strong>IT Act</strong> ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("<strong>IT Rules</strong>"). Section 43A of the IT Act, 2000 <a name="_ftnref2"></a> holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.</p>
<p style="text-align: justify;">Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, <a name="_ftnref3"></a> could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.</p>
<p style="text-align: justify;">In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.</p>
<h3>1. Compensation and Penalty</h3>
<p style="text-align: justify;"><strong>Section 43A:</strong> Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.</p>
<p style="text-align: justify;"><strong>Aadhaar</strong> <strong>Act :</strong> Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.</p>
<ul style="text-align: justify;">
<li>Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI. </li>
<li>Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository. </li>
<li>Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li></ul>
<p style="text-align: justify;">Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.</p>
<h3>2. Privacy Policy</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.</p>
<p style="text-align: justify;"><strong>Implications:</strong> Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.</p>
<h3>3. Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act: </strong> The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).</p>
<p style="text-align: justify;"><strong>Implications:</strong> If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.</p>
<h3>4. Collection Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.</p>
<h3>5. Notice</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:</p>
<ul style="text-align: justify;">
<li>The fact that information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information</li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li></ul>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.</p>
<h3>6. Retention Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.</p>
<h3>7. Purpose Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p style="text-align: justify;"><strong>Aadhaar Act<a name="move447203643"></a></strong> Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.</p>
<p style="text-align: justify;"><a name="move4472036436"></a> Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<h3>8. Right to Access and Correct</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.</p>
<h3>9. Right to 'Opt Out' and Withdraw Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.</p>
<h3>10. Grievance Officer</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.</p>
<p style="text-align: justify;"><strong>Aadhaar Act</strong>: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.</p>
<h3>11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.</p>
<h3>12. Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.</p>
<h3>13. Security of Information</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.</p>
<h3>Implications of the Differences for Body Corporates in Aadhaar Ecosystem</h3>
<p style="text-align: justify;">An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other. <a name="move446519928"></a></p>
<p style="text-align: justify;">Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.</p>
<h3>Appendix I</h3>
<p style="text-align: justify;">The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:</p>
<p style="text-align: justify;"><strong>i. Opt-out clause:</strong> A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.</p>
<p style="text-align: justify;"><strong>ii. Voluntary:</strong> To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.</p>
<p style="text-align: justify;"><strong>iii.</strong> Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.</p>
<p style="text-align: justify;"><strong>iv.</strong> Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.</p>
<p style="text-align: justify;"><strong>v. Oversight Committee:</strong> The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.</p>
<p><strong>Sources:</strong></p>
<ul>
<li> <a href="http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-bill-to-lok-sabha-with-oppn-amendments/"> http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/ </a> </li>
<li> <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/"> http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/</a><br /><br /></li></ul>
<h3>Appendix II - Section 43A: Compensation for Failure to Protect Data</h3>
<p style="text-align: justify;">Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.</p>
<p style="text-align: justify;">For the purposes of this section:</p>
<ul>
<li>"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</li>
<li>"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;</li>
<li>"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.<br /><br /></li></ul>
<p style="text-align: justify;">The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals <em>engaged in commercial or professional activities</em>"</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india'>http://editors.cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india</a>
</p>
No publishervanyaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-18T11:43:02ZBlog EntryA Pathfinding Approach for Digital India
http://editors.cis-india.org/telecom/blog/business-standard-january-31-2017-and-organizing-india-blogspot-february-1-2017-shyam-ponappa-a-pathfinding-approach-for-digital-india
<b>It's not only the installation of the OFC, but of ensuring quality and reliability.</b>
<p>The article was published in the <a class="external-link" href="http://www.business-standard.com/article/opinion/shyam-ponappa-pathfinding-approach-for-digital-india-117013101475_1.html">Business Standard</a> on January 31, 2017 and reproduced on <a class="external-link" href="http://organizing-india.blogspot.in/2017/02/a-pathfinding-approach-for-digital-india.html">Organizing India Blogspot</a> on February 1, 2017.</p>
<hr />
<p style="text-align: justify; ">Most people believe an optical fibre cable (OFC) connection is necessary for broadband. While largely true, this is often financially viable only in urban agglomerations. What is less known is that trading companies use wireless links between New York and Chicago for high-speed electronic trades.<a href="#fn1" name="fr1">[1] </a>For people outside urban clusters, wireless is a less expensive alternative to fibre. They get only a few megabits per second, but realistically, ubiquitous broadband at 2 Mbps would be great.</p>
<p style="text-align: justify; "><span>Three factors are driving internet access and usage in India. An overriding factor is the growth of wireless devices and traffic as a global phenomenon. Cisco estimated in June 2016 that in 2015, wired access comprised 52 per cent of IP traffic, but would reduce to one-third by 2020, while wireless access would increase to two-thirds. This trend is reinforced by another factor: Innovation that lowers costs and improves performance in mobile wireless <i>(Chart 1)</i>.</span></p>
<p style="text-align: justify; "><span><b><span>Chart 1: Mobile Innovation Lowers Costs and Improves Performance</span></b></span></p>
<p style="text-align: justify; "><span><b><span><img height="208" src="https://3.bp.blogspot.com/-kklWnr7DWH4/WJIQfL4K8xI/AAAAAAAACrM/FWLSDxCA5aIvrxxlt7AQNRS66ob1WP8HQCLcB/s320/Mobile%2BInnovation%2BLowers%2BCosts%2B%2526%2BImproves%2BPerformance-Brookings.png" width="320" /></span></b></span></p>
<p style="text-align: justify; "><i><span><span>Sources: Cisco Visual Networking Index; International Telecommunication Union; IE Market Research; Motorola, Deutsche Bank; Qualcomm<br />Note: Data speed indicated the maximum downlink speed, not average observed speeds. The average observed speeds depend on many factors, including infra, subscriber density and device harware and software</span></span></i></p>
<p style="text-align: justify; "><span><span>The third factor is the combination of the geographic spread of our population, the concentration of broadband penetration (Chart 2), and the limited coverage of OFC networks. While major cities and their connecting links are covered by OFC, less populated and less commercially attractive areas between them are not. In hilly terrain, there is considerable difficulty in laying OFC, which extends far beyond cost. In urban areas, cost can be a deterrent because we lack reasonable, uniform charges for rights-of-way. Such procedures and practices are difficult to institute and enforce, but are essential for robust, viable OFC networks.</span></span></p>
<p style="text-align: justify; "><span><span><b><span>Chart 2: Broadband Penetration</span></b></span></span></p>
<p style="text-align: justify; "><span><span><b><span><img height="272" src="https://1.bp.blogspot.com/-dlwUGRQtTAo/WJIMAFROeHI/AAAAAAAACrA/L5okGjdonCcqmKpJEbmX0-wNZG0hg-IYwCLcB/s320/Broadband%2BPenetration-The%2BHindu-2016-08-25.png" width="320" /></span></b></span></span></p>
<p style="text-align: justify; "><span><span><span>Source: http://www.thehindu.com/sci-tech/technology/internet/The-India-wide-web/article14588938.ece</span></span></span></p>
<p style="text-align: justify; "><span><span><span>It's not only the installation of the OFC, but of ensuring quality and reliability. OFC networks in India apparently suffer from 12 to 14 cuts per km per month, whereas the international benchmark is 0.7 cuts per km km per month. Apart from more frequent repairs, the capital expenditure in India is nearly three times as high as in Australia or the US.<a href="#fn2" name="fr2">[2]</a></span></span></span></p>
<p style="text-align: justify; "><span><span><span>Estimates for installing OFC using standard procedures vary from about Rs 1 lakh to Rs 4 lakh per km. However, there have been attempts at getting costs down by radical changes in approach. For example, Andhra Pradesh considered an OFC installation of 22,500 km estimated Rs 4,700 crore. By stringing fibre overhead along electric cables, however, the estimate was cut to Rs 333 crore, reducing costs from Rs 21 lakh to under Rs 1.5 lakh per km. It remains to be seen how this network will perform in terms of quality and reliability. Also, wireless technology is needed to extend connectivity from the fibre to villages, and cellular network costs rise with less bandwidth. For instance, one estimate is that excluding spectrum costs, a network using 5 MHz costs nearly 70 percent more than using 20 MHz.</span></span></span></p>
<p style="text-align: justify; "><span><span><span>For all these reasons, we need concerted action to redesign our approach to broadband, covering the fundamentals of infrastructure, spectrum and market design. The exponential growth in mobile services has reached a plateau, and is complicated by the taint of the 2G spectrum scams. This has resulted in a mindset combining witch-hunting and paranoia in the press, the public, government departments, and the judiciary. This is not conducive for the coordinated, collective strategy and action that is required to extricate ourselves. Several proven wireless technologies are not permitted in India, although the Telecom Regulatory Authority of India has recommended their use. Methods to increase connectivity like those listed below are urgently needed, with requisite environmental safeguards such as the use of renewable energy.</span></span></span></p>
<ul>
<li><span><span><span>60 GHz (V band) wireless gigabit for short-haul; <br /></span></span></span></li>
<li><span><span><span>70 and 80 GHz (E band) for multi-gigabit backhaul up to 5 km;</span></span></span></li>
<li><span><span><span>TV White Space for the middle mile from the fibre to users in villages up to 8-10 km away in a single hop;</span></span></span></li>
</ul>
<p style="text-align: justify; "><span><span><span>Additional steps, e.g.:</span></span></span></p>
<ul>
<li>Increasing unlicensed spectrum in the 5.8 GHz band from 50 MHz to 80 MHz to enable 866 Mbps per channel, or more for gigabit capacity;</li>
</ul>
<ul>
<li style="text-align: justify; ">Enabling secondary sharing of spectrum bands such as TV White Space, which has the possibility of existing Indian IPR establishing domestic manufacturing and dominating this niche;</li>
</ul>
<p style="text-align: justify; ">It is evident that despite intense efforts by the people involved, our existing approach is simply not getting us to where we need to be. This has been repeated by government and private sector representatives many times. There’s no substitute for developing a sound approach, collectively and participatively, with professional facilitation, cutting across government, industry (operators and equipment providers), users, and the judiciary, to devise whatever solutions will deliver better results. We have to move away from adversarial deadlock.</p>
<p style="text-align: justify; "><span>A good way to begin is by accepting facts, and considering the evidence before dismissing points of view. For licensing, we know that government collections from revenue sharing far exceed the auction fees foregone (“<a href="http://organizing-india.blogspot.com/2016/04/breakthroughs-needed-for-digital-india.html" target="_blank">Breakthroughs Needed for Digital India</a>”). We have the experience of building other infrastructure such as roads and airports on revenue-sharing principles. We have to take a similar systematic, phased approach to designing and implementing broadband networks. Policies on infrastructure resource use including spectrum need to be rationalised, and the sector organised through participative path-finding and problem solving. We have to build national champions in manufacturing to keep costs affordable, for instance, using TV White Space. India could set the standard with its IPR and products where OFC is infeasible or unviable for connectivity to villages and rural clusters. Both the administrative and political leadership need to do this, working with all stakeholders, and not treating any of them as adversaries, or cronies.</span></p>
<div style="text-align: justify; ">
<div style="float: left; ">
<div style="float: left; "></div>
</div>
</div>
<p style="text-align: justify; "><span><b><span> </span></b></span></p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. ‘Information Transmission between Financial Markets in Chicago and New York’, Gregory Laughlin, Anthony Aguirre, and Joseph Grundfest, Cornell University Library, arXiv.org</p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. Conference presentation, Sterlite, <a href="http://www.trai.gov.in/sites/default/files/Sterlite-Badri.pdf">http://www.trai.gov.in/sites/default/files/Sterlite-Badri.pdf</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/blog/business-standard-january-31-2017-and-organizing-india-blogspot-february-1-2017-shyam-ponappa-a-pathfinding-approach-for-digital-india'>http://editors.cis-india.org/telecom/blog/business-standard-january-31-2017-and-organizing-india-blogspot-february-1-2017-shyam-ponappa-a-pathfinding-approach-for-digital-india</a>
</p>
No publisherShyam PonappaTelecomDigital India2017-03-03T16:39:37ZBlog EntryA Market Structure for Digital India
http://editors.cis-india.org/telecom/blog/business-standard-october-5-2016-shyam-ponappa-a-market-structure-for-digital-india
<b> If delivery is priced below cost, communications services will be unsustainable and ineffective. The stress in the telecom sector is evident from the data. The market capitalisation of listed telecom operators has been stagnant since the 3G auction in 2010, while the government collected Rs 2.83 lakh crore of non-tax charges from them.</b>
<p style="text-align: justify; ">The article originally published in the <a class="external-link" href="http://www.business-standard.com/article/opinion/shyam-ponappa-a-market-structure-for-digital-india-116100501200_1.html">Business Standard</a> on October 5, 2016 was mirrored in <a class="external-link" href="http://organizing-india.blogspot.in/2016/10/a-market-structure-for-digital-india.html">Organizing India Blogspot</a> on October 9, 2016.</p>
<hr />
<p style="text-align: justify; ">In March 2010 before the auction, the capitalisation was Rs 1.84 lakh crore; in March 2016, it was Rs 1.71 lakh crore, with the BSE Sensex up nearly 60 per cent. A larger share of earnings has gone to government rather than shareholders, and also to banks as interest (Rs 2.08 lakh crore). The irony is that no operator has bid so far for the most useful spectrum bands on auction, 700 and 900 MHz. Uncertainties abound, and there are several questions.</p>
<p style="text-align: justify; ">Reliance Jio's entry, although expected, is a jolt. Will voice calls priced below mandatory interconnect charges be treated as being predatory or anticompetitive? The technicality is that Jio doesn't have high market share, apparently a criterion under competition law. Will this hold, given that Jio's entry has reduced total market capitalisation? Will delivery capability in terms of network size and/or market power from associated businesses be relevant criteria for dominance? What happens when Jio does have sizeable market share?</p>
<ul>
<li style="text-align: justify; ">On the face of it, lower prices seem better for users. Look more closely and it's not so simple, especially when you consider other services in India offered for free or at highly subsidised rates. One issue is the structure of a market that supports delivery below cost, and its quality of services/products. Another is the criterion that maximises social welfare that should drive government's policies. Is consumer surplus in the short term a reasonable criterion? As it happens, we have experienced markets with constrained consumer surplus for years. For example, in the category of infrastructure and essential inputs/utilities, we've had this approach towards fertilisers, electricity, petroleum products like kerosene, cooking gas and diesel until recently, water, and sewerage. We've also experienced this in our entire range of manufactured products earlier, when we had exorbitant import barriers. These experiences have been less than sanguine. The misuse of kerosene and gas, and the effects of diesel subsidies are prominent examples. The distortions that have set in, such as overuse of ground water and fertilisers, and the vicious circle with electricity and diesel generators, will be difficult to correct.</li>
</ul>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; ">Aren't there similar deleterious effects in communications from spectrum auctions and government charges that inflate input costs, and price wars that degrade investment capacity for network extension and delivery? As it is, the quality of services for voice and data is very poor. An essential resource for better connectivity is spectrum, yet government's approach to its management has been and remains inimical to its stated objective of achieving ubiquitous access of good quality. Governments make it difficult for operators to extend networks simply by not setting the right administrative policies. To quote Google Vice-President Caesar Sengupta: India is "a very large country with very little spectrum". It does not seem clear to our governments that broadband access through fixed lines for everyone is infeasible in the foreseeable future. Also, that unless radical changes are made, it is inconceivable that broadband servcies can be made available at prices and quality comparable to TV.</li>
</ul>
<h3 style="text-align: justify; ">The Triad of Interests</h3>
<p style="text-align: justify; ">Even if the criterion for public welfare is user benefits/consumer surplus, judging by price alone is simplistic, because it misses other aspects of service delivery that contribute to the cost-benefit package. One essential aspect is ubiquitous access. Another is effective, consistent service delivery, which requires quality, and stability. A third is the period or life cycle. It doesn't help if you have an inexpensive product or service today, and nothing tomorrow. The definition of long term also varies, depending on one's perception of the life-cycle cost of the product/service. For a user, it may be several years, or his/her life cycle. For a society, it may mean generations.</p>
<p style="text-align: justify; ">In addition to consumer benefits, other factors need to be considered from the perspectives of pragmatism and realpolitik. Realistically, a triad of stakeholder interests has to be balanced for a sustainable beneficial outcome. These are: consumer and producer surplus, and what might be termed "government interests" in the broadest sense defined below. The latter has been manifest in many global spectrum auctions, and although detrimental to the sector, is an aspect of reality that cannot be wished away. For example, our governments preferred rationing and auctions to more constructive approaches such as sharing infrastructure, and when the Supreme Court ruled that resources need not be auctioned, spectrum was excluded, which seems logically indefensible. For sustainable, consistent services, champions of all three criteria must partner to adopt mutually acceptable solutions.</p>
<h3 style="text-align: justify; ">Assumptions about Enabling Policies</h3>
<p style="text-align: justify; ">Certain basic amenities comprise the essential infrastructure that everyone needs to be productive and have reasonable well-being. To some extent, this is linked to reasonably high per capita income. Without it, broad access to good infrastructure is infeasible. It takes that level of organisation, institutions and investment, including its implications for developing and organising human capital, to build such capabilities, as in Organisation for Economic Cooperation and Development (OECD) countries. Emerging economies have to manage with lower order platforms, or a subset of higher order services combined with others of lower order. Prioritisation then becomes the key, and areas of emphasis have to be chosen. This is where the priority accorded to Digital India comes in. If digital systems are crucial facilitators for development and productivity, they need to be accorded that level of importance and effort, with substantive changes to policies.</p>
<p style="text-align: justify; ">The government sets the policies and incentives. Government here means not just the central government and the states' executives, but the gamut of regulatory and government agencies: the legislature, the regulators, and the judiciary. These agencies must converge and persuade public opinion to support action in the public interest. Ultimately, society has to pay. If delivery is priced below cost in communications, the services will be as unsustainable and ineffective as in other distorted sectors with freebies.</p>
<hr />
<p style="text-align: justify; ">Reference: <i> Krishna Kant: <a href="http://www.business-standard.com/article/economy-policy/spectrum-fees-leave-no-money-in-shareholders-pockets-116092701398_1.html" target="_blank">http://www.business-standard.com/article/economy-policy/spectrum-fees-leave-no-money-in-shareholders-pockets-116092701398_1.html</a>, Business Standard, September 28, 2016</i>. The author can be contacted at shyamponappa@gmail.com</p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/blog/business-standard-october-5-2016-shyam-ponappa-a-market-structure-for-digital-india'>http://editors.cis-india.org/telecom/blog/business-standard-october-5-2016-shyam-ponappa-a-market-structure-for-digital-india</a>
</p>
No publisherShyam PonappaTelecomDigital India2016-10-10T02:09:06ZBlog Entry"Will the Magic Number Deliver?" - Roundtable on Aadhaar at CSLG, JNU, April 26
http://editors.cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016
<b>The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), will organise a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Rajeev Chandrasekhar, Prasanna S, Apar Gupta, and Chirashree Dasgupta, Sumandro Chattapadhyay will be one of the discussants. It will take place in the CSLG Conference Room at 6 pm.</b>
<p> </p>
<h3>Discussion Note</h3>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, was enacted by the Parliament on March 16. Thereafter it has been notified on March 26.</p>
<p>The Act empowers the UIDAI (Unique Identification Authority of India) to collect biometric and demographic information of residents to provide them with a unique number. This unique number is to be used for enumeration, identification and targeting of beneficiaries of government subsidies and services.</p>
<p>Since the creation of the UIDAI as an executive authority in 2009, this process of enumeration has been ongoing. Recently, it was announced that more than 100 crore residents have been given their aadhaar cards. Alongside, however, legal challenges have continued in the Supreme Court.</p>
<p>Given this context, this Roundatable Discussion will focus on the following set of questions (among others):</p>
<ul><li>
<p>Can the Aadhaar Number enable better delivery of government subsidies and services?</p>
</li>
<li>
<p>How does the Act ensure data protection?</p>
</li>
<li>
<p>Is there a right to privacy in India? What are the implications in the context of Aadhaar?</p>
</li>
<li>
<p>Does the Act ensure public access to statutory remedies in case of violations?</p>
</li>
<li>
<p>Did the Aadhaar Bill fulfil the requirements of a money bill?</p>
</li></ul>
<p> </p>
<h3>Discussion Format</h3>
<p>Setting the Theme - Short Introduction to the Topic by Natasha Goyal</p>
<p>Speakers' comments, 15 minutes each, consecutive, no power points</p>
<ul><li>
<p><a href="https://twitter.com/rajeev_mp">Rajeev Chandrasekhar</a>, Member of Parliament, Rajya Sabha</p>
</li>
<li>
<p><a href="https://twitter.com/ajantriks">Sumandro Chattapadhyay</a>, the Centre for Internet and Society</p>
</li>
<li>
<p><a href="https://twitter.com/prasanna_s">Prasanna S</a>, Lawyer</p>
</li>
<li>
<p><a href="https://twitter.com/aparatbar">Apar Gupta</a>, Advocate, Delhi High Court</p>
</li>
<li>
<p><a href="http://www.jnu.ac.in/FacultyStaff/ShowProfile.asp?SendUserName=chirashree">Dr. Chirashree Dasgupta</a>, Centre for the Study of Law and Governance</p>
</li></ul>
<p>Open Session (Moderated Q and A)</p>
<p>Followed by Tea</p>
<h3>Directions to Venue</h3>
<p>From JNU main gate, proceed straight until you get to a T-junction. Turn left. Continue until you reach a second T-junction. Turn right. Follow the road for just 0.7 km until you see a bus stop labelled “Paschimmabad.” About 50 m past the bus stop turn right at a sign that reads: “Centre for the Study of Law and Governance”. The CSLG building is on the right. The conference room is on the first floor.</p>
<h3>Poster</h3>
<img src="http://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016/leadImage" alt="CSLG Roundtable Discussion - Will the Magic Number Deliver? - April 26, 6 pm" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016'>http://editors.cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016</a>
</p>
No publishersumandroUIDPrivacyDigital IndiaAadhaarBiometrics2016-04-20T10:49:58ZEvent