Monthly Archives: March 2014

Electronic Mail (E-Mail) Policy Of India

Electronic Mail (E-Mail) Policy Of IndiaElectronic mail or e-mail has become an indispensable part of government, companies, individuals and businesses alike. However, the obligations and liabilities to use e-mail are different for different stakeholders. Of all the stakeholders, the government owes the strictest responsibility to ensure that it has a robust and cyber secure e-mail infrastructure and policy at place.

Indian government and its departments have not only failed to formulate and implement a robust and cyber secure e-mail policy but they have also been negligent on the front of securing crucial and sensitive government and public data. As on date many sensitive data and documents are residing on the servers of foreign e-mail service providers from where they are openly available to foreign intelligence and security agencies to analyse.

The e-mail policy of India has been in pipeline for long but till now nothing has been done on this regard. This is a serious issue as e-mail is one of the favourite methods of cyber criminals to compromise computer systems and to gain sensitive and personal information. Further, service providers like G-mail are abetting and encouraging commission of cyber crimes as well. E-mail service providers like g-mail, yahoo, hotmail, etc are also facilitating violating the provisions of Public Records Act, 1993 wherever public records are involved.

Realising the seriousness of the situation, Delhi High Court is analysing e-mail policy of India and complaint mechanism to Facebook. The Delhi High Court has also directed central government to issue notification regarding electronic signature under Information Technology Act 2000. An advisory by Maharashtra Government to use official e-mails has already been issued. The Delhi High Court has once again chided the central government and department of electronics and information technology (DeitY) and given them four weeks time in totality to come up with the e-mail policy of India.

DeitY has already issued policy documents in this regard. These include email services and usage policies of Government of India (PDF), NIC policy on format of e-mail address (PDF), password policy of Government of India (PDF), security policy for users by Government of India (PDF) and service level agreement by Government of India (PDF).

Indian government has also failed on the fronts of privacy protection and data protection (PDF). Even the Parliament committee slammed Indian government for poor privacy laws in India. The Supreme Court of India has also prohibited UIDAI from sharing sensitive biometric details of the registered Aadhar users. There is no sense in delaying enactment of e-mail policy of India, privacy law and data protection law of India and the same must be done as soon as possible.

Supreme Court Of India Prohibits UIDAI From Sharing Biometric Data With Indian Government Agencies Without Data Owner’s Consent

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLB Aadhar Project by Unique Identification Authority of India (UIDAI) is the “Most Vicious Project” that has been undertaken by Indian Government so far. It is actively violating various Constitutional Protections as prescribed by Indian Constitution. The very existence of Aadhar is based upon Deception, Lie, Illegality and Unconstitutionality. Under the garb of Public Welfare, Indian Government has been pushing Draconian E-Surveillance Project that cannot withstand the tests of Constitutionality. Further, the very Collection of Biometrics Details of Indian residents/Citizen is Unconstitutional. UIDAI has also Validated E-Aadhaar as a Valid Document like Paper based Aadhaar Number.

Aadhar Project is also suffering from many Fallacies and Weaknesses. These include lack of Data Security, Cyber Security, Data Protection (PDF), Privacy Protection, etc. Recently, the Parliamentary Committee slammed Indian Government for Poor Privacy Laws in India. Indian Government and its Agencies have been violating Civil Liberties of Indians in Cyberspace for long. Privacy Rights in the Information Era need to be properly safeguarded by Indian Government to remain on the right side of the Constitution.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

It was natural that in these circumstances the Aadhar Project was bound to be challenged before various Courts in India. The Supreme Court of India is hearing one such case against Compulsory use of Aadhar Number for delivery of Public Services. The Supreme Court has already held in the past that Aadhar Number/Card cannot be made Mandatory for providing Public Services. Even the Banks in India have “Out Rightly Rejected” the demand of Reserve Bank of India to use Aadhaar Number/Card/Data by all new ATMs and Point of Sale (POS) Machines.

In another jolt to the Aadhar Project, the Supreme Court on Monday restrained the Centre and the UIDAI from sharing the vast biometric database of Aadhaar cards with any third party or agency without the consent of the registered person. The Court also directed that people cannot be denied any service or benefit for not having an Aadhaar card.  The court said any order passed by authorities to make Aadhaar mandatory shall be withdrawn immediately. On using the database in Criminal Investigation, a Bench led by Justice B S Chauhan said that information about fingerprints and other data could be shared only after a suspect approves it. This is a sensible direction by the Supreme Court and Indian Government must now focus more upon enactment of Privacy Law and a Law Governing UIDAI and its Illegal and Unconstitutional Biometrics Collections.

European Union Strengthens Privacy Rights And Data Protection Amid Global E-Surveillance Practices

European Union Strengthens Privacy Rights And Data Protection Amid Global E-Surveillance PracticesEuropean Union (EU) has been working in the direction of making consumers’ data and information safe and secure. In time of blatant e-surveillance from countries like United States, India, United Kingdom, etc this is a welcome step. At Perry4Law we welcome this initiative of EU as this would go a long way in strengthening civil liberties protection in EU cyberspace. We also welcome the efforts of EU to strengthen consumer rights by introducing effective dispute resolution mechanisms while engaging in online business and transactions.

The developments of privacy and data protection at the EU are systematic and consistent in nature over a long period of time. Some significant developments in this regard are draft European Parliament Legislative Resolution for General Data Protection Regulation 2009-2014 (PDF), European Parliament’s support for Commission’s efforts to foster EU Citizens’ Rights Memo 14-185 (PDF), MEPs anti surveillance stand against U.S. NSA (PDF), etc. The latest to add to this civil liberties protection list is supporting vote of European Parliament for EU data protection reforms (Word) that have now become irreversible in nature.  The new Data Protection Regulation was approved with 621 votes for, 10 against and 22 abstentions.

There had been concern that any delay in the vote would see the whole process put into the hands of a new parliament following elections in May. The current parliament will now speak to ministers from the EU’s member states and agree on a timetable to implement the law.

“Most people are entirely unaware that their rights are being violated when online due to what are now everyday business practices. Those who are aware, have negligible ability to control how this data on their daily lives, buying behavior, social media use, political views, hobbies, financial data and health records is collected and processed,” said Monique Goyens, director general of The European Consumer Organisation.

Although the vote was welcomed by consumer groups, the tech industry is concerned that it will place more burdens on businesses. For instance, the Industry Coalition for Data Protection (ICDP), a group of 16 associations representing European and international companies, described the new law as an “overly prescriptive, freeze-frame approach that would be unworkable in practice, even for data protection authorities”.

The new law includes higher fines for breaches of data protection law in the EU, up to 5 percent of worldwide revenue or a fine of €100 million (US$138 million), whichever is greater. The original draft of the text had called for 2 percent, but the European Parliament decided to raise it.

Citizens will also gain the so-called right to be forgotten. Businesses must comply with any demand by a customer for the erasure of their personal data when there are no legitimate grounds for retaining it. However the European Commission pointed out that this is not a right to re-write history: legitimate reasons to retain data include, for example, newspaper archives.

Explicit consent is also required for businesses wishing to process data. Organisations processing people’s data must provide standardised information policies to explain what they are doing with it and why. Businesses and organisations will be required to inform users, paying or not, about data breaches “without undue delay”. There is much debate about what constitutes “undue delay” 24 hours is considered to be sufficient time for any organisation to notify users. The cyber security breaches also need a mandatory reporting mechanism that is presently missing world over.

Cyber law due diligence for European business has already been prescribed by the EU. As per the new EU framework, member states must take necessary measures to make sure that firms who indulge in any kind of cyber crime can now be held accountable. The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge. This is more on the lines of “strict liability” that business houses and owners must keep in mind. Similarly, this would also require the businesses to appoint chief information officers and chief technology officers so that their business interests can be adequately safeguarded.

Under the new regulation, users will have the right to demand that businesses send them all the information they have stored about them. Where requests to access data are ‘excessive or repetitive’, smaller companies will be allowed to charge a fee for providing access. A one-stop-shop principle, allowing business to deal with just the data protection authority where they are based, not all 28 across the EU, will be enacted. However, the data protection authority in each member state will be empowered to impose sanctions as well as regular inspections of companies found to be in breach of the rules.

The new law would apply to all companies handling EU citizens’ data, whether they are based in the EU or not. Thus, companies located in other jurisdictions and handling EU citizens’ data would also be covered. The EU has to manage the conflict of laws in cyberspace as different countries may have different laws in this regard. For instance, India has neither a privacy law nor a data protection law (PDF). How the EU norms would apply to Indian BPO and KPO companies and firms is yet to be ascertained by EU.

The new regulation would replace the 1995 legislation, but the new rules still need to be backed by EU governments, some of which have so far been stalling on the reform.

Meanwhile in a separate vote the European Parliament approved calls to put data sharing with the U.S. on hold. The report condemns the mass surveillance programs by EU member states as well as those by the U.S., and calls for the suspension of the Terrorist Finance Tracking Program (TFTP) agreement and the Safe Harbor agreement. TFTP allows the U.S. access to EU citizens’ banking transfers while Safe Harbor is a voluntary program, enforceable by law, whereby U.S. companies promise to manage EU citizens’ data securely.

But the most far-reaching element of the resolution, drawn up after 16 hearings over six months, is that parliament should withhold its consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the U.S. unless it fully respects EU fundamental rights.  Despite the strong words, it is not within the European Parliament’s power to implement them. Any suspension of agreements would have to come from the European Commission. Nevertheless the mood of European Parliament is now well known.

Texas Appeals Court Rules That Law Enforcement Officials Do Need A Warrant To Search An Arrested Person’s Cell Phone After They’ve Been Jailed

Texas Appeals Court Rules That Law Enforcement Officials Do Need A Warrant To Search An Arrested Person's Cell Phone After They've Been JailedThe State Of Texas V. Anthony Granville, No. PD-1095-12 (PDF) is a pro privacy decision for Texas citizens. The decision is given by a bench of 8 judges out of whom 7 have been part of the majority judgment while 1 has delivered a dissenting judgment. Recently, the Massachusetts Supreme Judicial Court ruled that phone users have legitimate expectation of privacy.

These decisions has come at a very crucial time when the U.S. Supreme Court has accepted a Writ of Certiorari in Riley David L v State Of California Order List 571 US Dated Friday January 17 2014 (PDF) case. The Supreme Court would very soon decide whether evidence admitted at petitioner’s trial was obtained in a search of petitioner’s cell phone that violated petitioner’s Fourth Amendment rights.

This Anthony Granville’s case raises the issue of whether a person retains a legitimate expectation of privacy in the contents of his cell phone when that phone is being temporarily stored in a jail property room. The trial judge granted Anthony Granville’s motion to suppress, concludin1g that the high-school student did not lose his legitimate expectation of privacy in his cell phone simply because it was being stored in the jail property room after he had been arrested for a Class C misdemeanor. The court of appeals affirmed that ruling.

The Court of Criminal Appeals of Texas granted the SPA’s petition for discretionary review, but it rejected the argument that a modern-day cell phone is like a pair of pants or a bag of groceries, for which a person loses all privacy protection once it is checked into a jail property room. It affirmed the judgment of the court of appeals.

In effect it means that law enforcement officials of Texas do need a warrant to search an arrested person’s cell phone after he/she has been jailed. The ruling did not decide whether it is legal or not for police to search a suspect’s phone at the time of arrest. The same is subject matter of the proposed decision by U.S. Supreme Curt in the Riley David’s case. However, the Texas ruling has established that a person has a legitimate expectation of privacy over the contents of his/her cell phone while the phone is being stored in the jail property room.

The majority judgement observed that the Fourth Amendment states that “[t]he right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures shall not be violated.” The term “papers and effects” obviously carried a different connotation in the late eighteenth century than it does today. No longer are they stored only in desks, cabinets, satchels, and folders. Our most private information is now frequently stored in electronic devices such as computers, laptops, iPads, and cell phones, or in “the cloud” and accessible by those electronic devices. But the “central concern underlying the Fourth Amendment” has remained the same throughout the centuries; it is “the concern about giving police officers unbridled discretion to rummage at will among a person’s private effects.” This is a case about rummaging through a citizen’s electronic private effects – a cell phone – without a warrant.