Are India And United States Collaborating On Illegal And Unconstitutional E-Surveillance And Eavesdropping?

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBCivil Liberties Protection in Cyberspace is a complicated techno legal field that requires a techno legal orientation and framework. Neither technological nor legal method alone is sufficient to manage Civil Liberties issues in Cyberspace. Conflict of Laws in Cyberspace adds further complications and techno legal challenges for various stakeholders. As a result, the approach towards Civil Liberties and Conflict of Laws in Cyberspace is largely “Territorial and National” in nature.

This has given a wide range of “Options for E-Surveillance” and “Illegal Searches” that is otherwise not possible in a “Constitution bound Nation”. For instance, James Clapper has confirmed that NSA has been targeting foreign Citizens for Surveillance. Similarly, many believe that NSA has been doing E-Surveillance and Eavesdropping through Utah Data Center though it is denied by the NSA. Similarly, NSA has also been using Radio Waves and Malware to indulge in Unconstitutional and Illegal E-Surveillance around the World. If this is not enough, Anti Virus Updates are being used as a potential tool to install Malware, steal information and launch Cyber Warfare Attacks. These activities have serious Civil Liberties implications that are also “Teasing and Testing” the Constitutional Safeguards and Protections.

It is not at all possible to indulge in “Global E-Surveillance and Eavesdropping” till other Nations approve the same. For instance, FinFisher is a Global Electronic Spying, E-Surveillance and Eavesdropping Malware. The Command and Control Servers for FinFisher were found in 36 Countries including India. Similarly, Vodafone has confirmed existence of “Secret Wires” for Government E-Surveillance and Eavesdropping Worldwide, including in India. The Department of Telecommunication (DOT) has already ordered an Investigation in this regard but the same is just a tactics to ward off criticism of blatant and endemic E-Surveillance activities of India.

There are “Strong Reasons to Believe” that India and United States are “Collaborating” on Illegal and Unconstitutional E-Surveillance and Eavesdropping on a “Mutually Beneficial Basis”. This is happening with great disregard to the Constitutions of India and United States. There is an urgent need to “Investigate” about this “Unholy Nexus” between India and United States that is striking at the very root of Civil Liberties Protection in Cyberspace.

Intelligence agencies of India are working in a condition that required immediate Parliamentary Oversight and Intelligence Reforms in India.  The Intelligence Infrastructure of India needed Transparency and Strengthening in these circumstances. However, Congress Government was not interested in bringing such reforms and it kept on violating the Civil Liberties of Indians in a blatant manner.

Till now there is no “Public Report” of the investigation made by DOT against the Vodafone’s allegations. In fact, the Narendra Modi Government has still not cleared its stand regarding “Illegal and Unconstitutional Projects” like Central Monitoring System (CMS) Project of India and Internet Spy System Network and Traffic Analysis System (NETRA) of India. In these circumstances, it is safe to presume that the Modi Government would continue with the Illegal and Unconstitutional E-Surveillance activities of the Congress led Government.

The proposed National Telecom Policy of India 2014 is also “Silent” on Protection of Civil Liberties in Cyberspace and Illegal E-Surveillance and Eavesdropping. In fact, it is “Neither Balance nor Constitutional” as on date. The Narendra Modi Government must ensure Privacy to Indians on a priority basis. This must be done by formulating and enacting a dedicated Privacy Law of India as soon as possible. The Parliamentary Committee has already slammed Indian Government for Poor Privacy Laws in India.

There are many problems that Modi Government would face while ensuring Privacy to Indians. We have no E-Surveillance Policy (PDF) and Encryption Policy (PDF) in India. We have no dedicated Data Protection and Privacy Laws in India (PDF). We have Draconian and Colonial Laws like Cyber Law and Telegraph Law that deserve immediate repeal. We have Bad Cyber Security Conditions (PDF) and a missing Telecom Security Policy of India. This would raise serious Cyber Security Challenges before the Modi Government in near future and would adversely impact the Privacy Rights of Indians in the Cyberspace.

Whatever the case may be, we need to ensure Civil Liberty Protection in Cyberspace for Indian Citizens “At All Costs and By All Means”. The digital life of Indian Citizens is not at all safe and is open to various forms of E-Surveillance and Eavesdropping. In the absence of support form Indian Government, Self Defence is the only viable option left before Indian Citizens to safeguard their digital lives. The initiatives titled PRISM Break and Reset the Net are worth exploring in this regard as a “Starting Point”.

SEBI Plans To Form Office Of International Affairs (OIA) For Surveillance And Information Sharing

SEBI Plans To Form Office Of International Affairs (OIA) For Surveillance And Information SharingThe Securities and Exchange Board of India (SEBI) has been trying to increase its regulatory powers for long. Initially, SEBI was able to acquire the power to monitor investor’s call records and conduct searches at companies suspected of wrongdoing. Now SEBI is contemplating forming of an office of international affairs (OIA) for surveillance and information sharing purposes.

Information and communication technology (ICT) is increasingly being used for business and other purposes. This results in spreading of relevant information in different parts of the world. In the absence of international cooperation, regulators and law enforcement agencies cannot investigate frauds and crimes effectively. Naturally, SEBI has to coordinate with its international counterparts for effective investigation of security related matters.

SEBI has constituted a full-fledged “International Affairs” team and is also working on a “comprehensive study” to understand the surveillance mechanism of regulators in developed markets like the US, UK, Australia and Hong Kong. The study would include analysis of foreign regulators’ “surveillance infrastructure and techniques to decipher patterns in the trading, formation of associations between entities and gathering of market intelligence including linkage of price volume pattern to market information”. Further, the best practices followed in developed markets relating to surveillance of algorithmic and high-frequency trading, which uses latest technology to execute trades in milli-seconds, would also be looked into.

The office of international affairs (OIA) at SEBI would act as a central facilitation cell for overseas entities having regulatory issues and concerns relating to Indian securities market. In appropriate cases, OIA will seek to flag and coordinate such issues with relevant departments within SEBI. Similarly, securities market participants from India may request OIA for regulatory assistance. The OIA is also tasked with keeping SEBI abreast of global developments, so that necessary steps can be taken by it while introducing and implementing regulatory measures.

While this is a good step in the right direction yet SEBI has to take care of many techno legal issues in this regard. For instance, SEBI has to comply with privacy laws, data protection requirements (PDF), cyber law due diligence (PDF), cyber security requirements,  etc. These regulatory requirements are not clear and this may create trouble for SEBI in the long run. There is an urgent need that Narendra Modi government must ensure privacy to Indians. The e-surveillance policy (PDF) must also be formulated as soon as possible.

Narendra Modi Government Must Ensure Privacy To Indians

Narendra Modi Government Must Ensure Privacy To IndiansPrivacy rights in India have always being ignored by the Congress led government. This was done deliberately and with a sinister purpose to facilitate endemic e-surveillance in India. The Congress led government force e-surveillance projects like central monitoring system (CMS), network and traffic analysis system (NETRA), Aadhaar, national intelligence grid (Natgrid), etc without any procedural safeguards and parliamentary oversight.

Intelligence agencies of India were working in a condition that required immediate parliamentary oversight and intelligence reforms in India.  The intelligence infrastructure of India needed transparency and strengthening in these circumstances. However, Congress government was not interested in bringing such reforms and it kept on violating the civil liberties of Indians in a blatant manner.

The Congress led government was also not interested in formulating suitable privacy laws for India. On the other hand, it was more interested in removing any sort of privacy protection. The Congress government kept on deferring enactment of a dedicated privacy law for India despite suggestions form many committees and experts. The natural question is can Narendra Modi government ensure privacy to Indians?

There are many problems that Modi government would face while ensuring privacy to Indians. We have no e-surveillance policy (PDF) and encryption policy (PDF) in India. We have no dedicated data protection and privacy laws in India (PDF). We have draconian and colonial laws like cyber law and telegraph law that deserve immediate repeal. We have bad cyber security conditions (PDF) and a missing telecom security policy of India. This would raise serious cyber security challenges before the Modi government in near future and would adversely impact the privacy rights of Indians in the cyberspace.

Recently telecom company Vodafone revealed that governments across the world, including India, have been using secret wires to indulge in e-surveillance upon its citizens. The Department of Telecommunication (DoT) is already investigating this issue but till a public report is issued by it very soon, the entire exercise would be time gaining exercise only.

It is high time for Modi government to take some serious steps in the direction of protecting the privacy rights of Indian citizens. Whatever the case may be, we need to ensure civil liberty protection in cyberspace for Indian citizens “At All Costs and By All Means”. The digital life of Indian citizens is not at all safe and is open to various forms of e-surveillance, eavesdropping and phone tapping. Even the very own national identity cards projects of Modi government has serious privacy and constitutional issues as per experts.

In the absence of support form Indian government, self defence is the only viable option left before Indian citizens to safeguard their digital lives. The initiatives titled PRISM Break and Reset the Net are worth exploring in this regard as a “starting point”.

National Population Register (NPR) Would Recognise Citizens Alone For Issuance Of National Identity Cards In India

National Population Register (NPR) Would Recognise Citizens Alone For Issuance Of National Identity Cards In IndiaThe demise of aadhaar number was very obvious as it was a pure illegal and unconstitutional project. The Narendra Modi led government was left with limited options regarding the Aadhaar project and its scrapping was the top choice for it. Now hints have been given by the central government that Aadhaar project may be scrapped ultimately.

However, in order to achieve this task, the central government needs to strengthen its own pet project i.e. National Population Register (NPR). Working in this direction, the home ministry of India has asked the Registrar General of India (RGI) to identify the “citizens” and “non-citizens” while preparing the NPR. The NPR authorities will undertake a door-to-door verification exercise across the country in this regard.

The citizens’ register, to be called the National Register of Indian Citizens, will serve as the database for national identity cards carrying a unique national identity number for each citizen of the country, besides other identification fields. A list of 19 documents – including birth certificate, death certificate, land records, school records – have been identified for proof of citizenship. Regarding non-citizen residents of the country, there is a proposal to issue them resident identity cards, which will be of a colour different from the national identity cards held by citizens.

The Aadhaar project was suffering from a major setback in the sense that it issued numbers/cards to even non citizens and illegal migrants in India. This was resulting in granting of benefits of public welfare schemes to even those who were not entitled to the same.

Sources in the government indicated that UIDAI, which administers the Aadhar scheme, may soon see its role diminished due to de-duplication, even as NPR focuses on biometrics collection. The government will also take a call on whether the existing Aadhar database is to be handed over to the NPR authorities, which may then carry out address verification in line with its security norms.

However, the NPR exercise has its own “Demerits and Constitutional Issues” and they must be resolved first. Simply merging of Aadhaar and NPR biometric data is not a sensible option according to Praveen Dalal. More detailed and constitutional analysis of NPR and national identity cards would be provided by Praveen Dalal very soon.

Himachal Pradesh Vigilance Bureau (VB) Would Recommend Action Against Officers Guilty Of Illegal Phone Tapping

Himachal Pradesh Vigilance Bureau (VB) Would Recommend Action Against Officers Guilty Of Illegal Phone TappingIllegal and unlawful telephone tapping in India has become a major nuisance. In the absence of a lawful interception law in India, telephone tapping is happening in an unregulated manner in India. There is a dire need to formulate dedicated privacy law and telephone tapping law of India as soon as possible in these circumstances. Law enforcement agencies are conducting e-surveillance and phone tapping without any parliamentary regulations and oversight.

Even intelligence agencies of India need parliamentary oversight so that there is a balance between the law enforcement and national security requirements on the one hand and civil liberties of Indians on the other. Similarly, the intelligence infrastructure of India needs transparency and strengthening.

It has now been reported that the Himachal Pradesh vigilance bureau (VB) would recommend action against some officials who have been suspected of departmental misdemeanor in the phone tapping case. The VB has already sought prosecution sanction against former DGP I D Bhandari in the phone tapping case.

Bhandari has already clarified that there was no telephone tapping or bugging under him during the BJP regime. However, a senior VB official, requesting anonymity, said that investigation found Bhandari responsible for illegal tapping of phones as records were not destroyed in the given time and copies of records were found stored in an almirah.

Sources said that vigilance officials in the draft chargesheet prepared in the case have also given clean chit to then inspector general (IG) of CID by describing him as a mere rubber stamp, who only signed letters but never stepped inside the technical cell where phones were being tapped. Sources, however, added that the IG could face departmental inquiry for not dispensing his duty properly.

Other junior-level officers who had tapped phones were not found involved in the crime on the ground that they only obeyed orders of then ADGP (CID) I D Bhandari. Officials said that as per the relevant Act, phone tapping could be ordered only by an IG-level officer or those above him.

Sources said that in some cases permission to tap phones was sought without furnishing complete details and on vague addresses. Officials claimed that investigation concluded that phones were tapped at the behest of then ADGP (CID) I D Bhandari. Sources said that as the home department had no direct role to play in it, neither the home secretary nor the then home minister were included in the chargesheet as nothing criminal was found on their part.

This is another incidence where phone tapping has been conducted in an illegal manner due to lax and illegal laws of India. Time has come to change these draconian and archaic laws as soon as possible.

Google Must Ensure Right To Be Forgotten To Its Users Says European Union Court Of Justice (ECJ)

Google Must Ensure Right To Be Forgotten To Its Users Says European Union Court Of Justice (ECJ)European Union (EU) and European Court of Justice (ECJ) have been stressing real hard to ensure privacy protection to their citizens. While many countries have not been able to persuade companies like Google yet EU and ECJ have been maintaining their strict requirements regarding protection of privacy rights within their jurisdictions.

Similarly allegations of tax avoidance have been labeled against Amazon, Google and Starbucks regarding UK Tax Laws. The European Commission and publishers’ settlement for e-book price fixing is also known to public. The hints are clear that Google, Facebook, Samsung etc may face more scrutiny from EU and US regulators regarding various regulatory issues, including privacy issues.

Unfortunately, countries like United States, India, United Kingdom, etc are working towards curbing civil liberties in cyberspace on the one hand and increasing unconstitutional e-surveillance powers on the other hand. On the other hand, EU has been working in the direction of making consumers’ data and information safe and secure.

The developments of privacy and data protection at the EU are systematic and consistent in nature over a long period of time. Some significant developments in this regard are draft European Parliament Legislative Resolution for General Data Protection Regulation 2009-2014 (PDF), European Parliament’s support for Commission’s efforts to foster EU Citizens’ Rights Memo 14-185 (PDF), MEPs anti surveillance stand against U.S. NSA (PDF), etc. The latest to add to this civil liberties protection list is supporting vote of European Parliament for EU data protection reforms (Word) that have now become irreversible in nature.  The new Data Protection Regulation was approved with 621 votes for, 10 against and 22 abstentions.

Now it has been reported that ECJ has held that Google can be required to remove sensitive information from its Internet search results. The case underlines the battle between advocates of free expression and supporters of privacy rights, who say people should have the “right to be forgotten” meaning that they should be able to remove their digital traces from the Internet.

The ruling is the outcome of a litigation initiated by a Spanish man who complained to the Spanish data protection agency that an auction notice of his repossessed home on Google’s search results infringed his privacy. The case is one of 180 similar cases in Spain whose complainants want Google to delete their personal information from its search results. However, Google maintains that forcing it to remove such data amounts to censorship. The ECJ does not seem to be convinced by this argument of Google and held that the rights of people whose privacy has been infringed outweighed the general public interest.

“If it is found, following a request by the data subject, that the inclusion of those links in the list is, at this point in time, incompatible with the directive, the links and information in the list of results must be erased,” judges said. Thus, people could ask Google to delete sensitive data or go to a relevant authority if Google fails to comply with their request. Adopted in 1995, Europe’s data protection directive is now currently being revised to make the rules stricter.

Indian Supreme Court Seeks Response From Election Commission (EC) Regarding Right To Privacy Attached To Voting

Indian Supreme Court Seeks Response From Election Commission (EC) Regarding Right To Privacy Attached To VotingPrivacy right has not been specifically conferred by the Constitution of India. But the same has been interpreted to be part of Article 21 of the Indian Constitution and is deemed to be a part of life and liberty by the Supreme Court of India. The privacy rights in the information era have further expanded the scope of privacy rights in India. Despite the importance of this basic human rights we have no dedicated data protection laws in India (PDF) and privacy laws in India. In fact, when it comes to respecting Privacy of Indian Citizens, Government of India tries its level best to avoid the same.

For instance, India has launched Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Now it has been reported that the Supreme Court today sought the response of the Election Commission (EC) on a plea seeking an end to ward-wise counting of votes on the ground that the declaration of result of every polling booth strikes at the root of right to privacy attached to voting.

A bench comprising justices Dipak Mishra and N V Ramana issued notice to the EC and sought its reply by 21 May on a proposal that the result of every parliamentary constituency be declared as a whole and not through ward-wise counting of votes of every electronic voting machine (EVM).

The petition said, “The result of every EVM must not be disclosed.” The bench was hearing a public interest litigation (PIL) filed by Punjab-based advocate Yogesh Gupta submitting that “the uniform way of declaration of result for the entire constituency as a whole would bring balanced growth and balanced funding and it would also reduce cases fuelled by political vendetta, ill will and hatred”.

The petition, which has come four days ahead of the counting of votes for ongoing Lok Sabha election, said the result is again going to be declared by announcing the outcome of every EVM which would lead to adverse impact on the voters as the political parties would harass the electorate in areas where it has not received the votes.

To buttress his contention that an amendment in the system would reduce intimidation and blackmail tactics, the lawyer cited reported threat by Maharashtra Deputy Chief Minister Ajit Pawar to residents of Baramati village on the eve of polling that he would cut off water supply if they did not cast their ballot in favour of his cousin and sitting NCP MP Supriya Sule.

“In the present form of declaration of result the political parties would become aware of the wards where they have not been voted and where they have got maximum votes,” the petition said, adding that “the present form of declaration of results also acts as a catalyst for the registration of false cases based on political vendetta against the persons who have not voted for the victorious parties”.

The advocate submitted that the proposed manner of declaration of results of every parliamentary constituency as a whole would go a long way in restoring the right of privacy as the political parties will not be able to find out the number of votes cast in their favour from different wards and the political parties would only get information regarding the votes cast in the entire constituency.

Electronic Mail (E-Mail) Policy Of India

Electronic Mail (E-Mail) Policy Of IndiaElectronic mail or e-mail has become an indispensable part of government, companies, individuals and businesses alike. However, the obligations and liabilities to use e-mail are different for different stakeholders. Of all the stakeholders, the government owes the strictest responsibility to ensure that it has a robust and cyber secure e-mail infrastructure and policy at place.

Indian government and its departments have not only failed to formulate and implement a robust and cyber secure e-mail policy but they have also been negligent on the front of securing crucial and sensitive government and public data. As on date many sensitive data and documents are residing on the servers of foreign e-mail service providers from where they are openly available to foreign intelligence and security agencies to analyse.

The e-mail policy of India has been in pipeline for long but till now nothing has been done on this regard. This is a serious issue as e-mail is one of the favourite methods of cyber criminals to compromise computer systems and to gain sensitive and personal information. Further, service providers like G-mail are abetting and encouraging commission of cyber crimes as well. E-mail service providers like g-mail, yahoo, hotmail, etc are also facilitating violating the provisions of Public Records Act, 1993 wherever public records are involved.

Realising the seriousness of the situation, Delhi High Court is analysing e-mail policy of India and complaint mechanism to Facebook. The Delhi High Court has also directed central government to issue notification regarding electronic signature under Information Technology Act 2000. An advisory by Maharashtra Government to use official e-mails has already been issued. The Delhi High Court has once again chided the central government and department of electronics and information technology (DeitY) and given them four weeks time in totality to come up with the e-mail policy of India.

DeitY has already issued policy documents in this regard. These include email services and usage policies of Government of India (PDF), NIC policy on format of e-mail address (PDF), password policy of Government of India (PDF), security policy for users by Government of India (PDF) and service level agreement by Government of India (PDF).

Indian government has also failed on the fronts of privacy protection and data protection (PDF). Even the Parliament committee slammed Indian government for poor privacy laws in India. The Supreme Court of India has also prohibited UIDAI from sharing sensitive biometric details of the registered Aadhar users. There is no sense in delaying enactment of e-mail policy of India, privacy law and data protection law of India and the same must be done as soon as possible.

Supreme Court Of India Prohibits UIDAI From Sharing Biometric Data With Indian Government Agencies Without Data Owner’s Consent

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLB Aadhar Project by Unique Identification Authority of India (UIDAI) is the “Most Vicious Project” that has been undertaken by Indian Government so far. It is actively violating various Constitutional Protections as prescribed by Indian Constitution. The very existence of Aadhar is based upon Deception, Lie, Illegality and Unconstitutionality. Under the garb of Public Welfare, Indian Government has been pushing Draconian E-Surveillance Project that cannot withstand the tests of Constitutionality. Further, the very Collection of Biometrics Details of Indian residents/Citizen is Unconstitutional. UIDAI has also Validated E-Aadhaar as a Valid Document like Paper based Aadhaar Number.

Aadhar Project is also suffering from many Fallacies and Weaknesses. These include lack of Data Security, Cyber Security, Data Protection (PDF), Privacy Protection, etc. Recently, the Parliamentary Committee slammed Indian Government for Poor Privacy Laws in India. Indian Government and its Agencies have been violating Civil Liberties of Indians in Cyberspace for long. Privacy Rights in the Information Era need to be properly safeguarded by Indian Government to remain on the right side of the Constitution.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

It was natural that in these circumstances the Aadhar Project was bound to be challenged before various Courts in India. The Supreme Court of India is hearing one such case against Compulsory use of Aadhar Number for delivery of Public Services. The Supreme Court has already held in the past that Aadhar Number/Card cannot be made Mandatory for providing Public Services. Even the Banks in India have “Out Rightly Rejected” the demand of Reserve Bank of India to use Aadhaar Number/Card/Data by all new ATMs and Point of Sale (POS) Machines.

In another jolt to the Aadhar Project, the Supreme Court on Monday restrained the Centre and the UIDAI from sharing the vast biometric database of Aadhaar cards with any third party or agency without the consent of the registered person. The Court also directed that people cannot be denied any service or benefit for not having an Aadhaar card.  The court said any order passed by authorities to make Aadhaar mandatory shall be withdrawn immediately. On using the database in Criminal Investigation, a Bench led by Justice B S Chauhan said that information about fingerprints and other data could be shared only after a suspect approves it. This is a sensible direction by the Supreme Court and Indian Government must now focus more upon enactment of Privacy Law and a Law Governing UIDAI and its Illegal and Unconstitutional Biometrics Collections.

European Union Strengthens Privacy Rights And Data Protection Amid Global E-Surveillance Practices

European Union Strengthens Privacy Rights And Data Protection Amid Global E-Surveillance PracticesEuropean Union (EU) has been working in the direction of making consumers’ data and information safe and secure. In time of blatant e-surveillance from countries like United States, India, United Kingdom, etc this is a welcome step. At Perry4Law we welcome this initiative of EU as this would go a long way in strengthening civil liberties protection in EU cyberspace. We also welcome the efforts of EU to strengthen consumer rights by introducing effective dispute resolution mechanisms while engaging in online business and transactions.

The developments of privacy and data protection at the EU are systematic and consistent in nature over a long period of time. Some significant developments in this regard are draft European Parliament Legislative Resolution for General Data Protection Regulation 2009-2014 (PDF), European Parliament’s support for Commission’s efforts to foster EU Citizens’ Rights Memo 14-185 (PDF), MEPs anti surveillance stand against U.S. NSA (PDF), etc. The latest to add to this civil liberties protection list is supporting vote of European Parliament for EU data protection reforms (Word) that have now become irreversible in nature.  The new Data Protection Regulation was approved with 621 votes for, 10 against and 22 abstentions.

There had been concern that any delay in the vote would see the whole process put into the hands of a new parliament following elections in May. The current parliament will now speak to ministers from the EU’s member states and agree on a timetable to implement the law.

“Most people are entirely unaware that their rights are being violated when online due to what are now everyday business practices. Those who are aware, have negligible ability to control how this data on their daily lives, buying behavior, social media use, political views, hobbies, financial data and health records is collected and processed,” said Monique Goyens, director general of The European Consumer Organisation.

Although the vote was welcomed by consumer groups, the tech industry is concerned that it will place more burdens on businesses. For instance, the Industry Coalition for Data Protection (ICDP), a group of 16 associations representing European and international companies, described the new law as an “overly prescriptive, freeze-frame approach that would be unworkable in practice, even for data protection authorities”.

The new law includes higher fines for breaches of data protection law in the EU, up to 5 percent of worldwide revenue or a fine of €100 million (US$138 million), whichever is greater. The original draft of the text had called for 2 percent, but the European Parliament decided to raise it.

Citizens will also gain the so-called right to be forgotten. Businesses must comply with any demand by a customer for the erasure of their personal data when there are no legitimate grounds for retaining it. However the European Commission pointed out that this is not a right to re-write history: legitimate reasons to retain data include, for example, newspaper archives.

Explicit consent is also required for businesses wishing to process data. Organisations processing people’s data must provide standardised information policies to explain what they are doing with it and why. Businesses and organisations will be required to inform users, paying or not, about data breaches “without undue delay”. There is much debate about what constitutes “undue delay” 24 hours is considered to be sufficient time for any organisation to notify users. The cyber security breaches also need a mandatory reporting mechanism that is presently missing world over.

Cyber law due diligence for European business has already been prescribed by the EU. As per the new EU framework, member states must take necessary measures to make sure that firms who indulge in any kind of cyber crime can now be held accountable. The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge. This is more on the lines of “strict liability” that business houses and owners must keep in mind. Similarly, this would also require the businesses to appoint chief information officers and chief technology officers so that their business interests can be adequately safeguarded.

Under the new regulation, users will have the right to demand that businesses send them all the information they have stored about them. Where requests to access data are ‘excessive or repetitive’, smaller companies will be allowed to charge a fee for providing access. A one-stop-shop principle, allowing business to deal with just the data protection authority where they are based, not all 28 across the EU, will be enacted. However, the data protection authority in each member state will be empowered to impose sanctions as well as regular inspections of companies found to be in breach of the rules.

The new law would apply to all companies handling EU citizens’ data, whether they are based in the EU or not. Thus, companies located in other jurisdictions and handling EU citizens’ data would also be covered. The EU has to manage the conflict of laws in cyberspace as different countries may have different laws in this regard. For instance, India has neither a privacy law nor a data protection law (PDF). How the EU norms would apply to Indian BPO and KPO companies and firms is yet to be ascertained by EU.

The new regulation would replace the 1995 legislation, but the new rules still need to be backed by EU governments, some of which have so far been stalling on the reform.

Meanwhile in a separate vote the European Parliament approved calls to put data sharing with the U.S. on hold. The report condemns the mass surveillance programs by EU member states as well as those by the U.S., and calls for the suspension of the Terrorist Finance Tracking Program (TFTP) agreement and the Safe Harbor agreement. TFTP allows the U.S. access to EU citizens’ banking transfers while Safe Harbor is a voluntary program, enforceable by law, whereby U.S. companies promise to manage EU citizens’ data securely.

But the most far-reaching element of the resolution, drawn up after 16 hearings over six months, is that parliament should withhold its consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the U.S. unless it fully respects EU fundamental rights.  Despite the strong words, it is not within the European Parliament’s power to implement them. Any suspension of agreements would have to come from the European Commission. Nevertheless the mood of European Parliament is now well known.