This story appeared on Network World at
http://www.networkworld.com/columnists/2011/051811-bradner.html

India: Data privacy, yes; adults, no; Internet privacy, no

'Net Insider By Scott Bradner, Network World
May 18, 2011 09:05 AM ET

India has just approved three new information technology rules, some of which might impact U.S. companies that outsource and others that will hurt Indian Internet users.

One new set of rules, titled "Reasonable security practices and procedures and sensitive personal data or information," is of most interest to U.S. companies.

These rules define what is to be considered "sensitive personal information." These include passwords, financial account numbers (including credit cards) medical or mental health information, sexual orientation and biometric information. Anyone dealing with such information must establish a public privacy policy explaining what information is collected and why. Such data collection can only be done with the knowledge of the subject of the information.

Only information actually needed for the stated purpose can be collected, and it must only be kept for as long as needed for that purpose. Many of these provisions are also in the recent Kerry/McCain "Commercial Privacy Bill of Rights Act of 2011", so it is possible that U.S. residents may have some of the same protections -- but don't hold your breath.

The Indian rules also require that "reasonable" security practices and procedures are to be followed to protect the information and that IS/ISO/IEC 27001 is an example of such reasonable practices.

The rules seem to be written to cover data gathered by Indian companies from anywhere in the world, even if the Indian company is working for one in the United States and is only collecting information about U.S. residents. Many U.S. companies outsourcing some of their IT operations to India may have to upgrade their systems and practices if the rules are interpreted this way.

The other two new sets of rules - both of which are rather strict -- pertain to Indian "intermediaries" and "cyber cafes."

The "Intermediaries guidelines" provide a long list of what types of information Internet users cannot "host, display, upload, modify, publish, transmit, update or share." The list includes the normal suspects of obscene, pornographic, libelous and copyright violations. But it also includes a prohibition of information that could "harm minors in any way."

This clause prevents adults from talking to adults over the Internet about topics that someone might think harmful to a minor, such as a 5-year-old. I guess the Indian authorities think that there are no adults in the country.

Separately, the new "Guidelines for Cyber Cafe" rules seem designed to ensure that cafe users have no privacy at all. The cafe operator must maintain a list of all users and forward it to authorities monthly. A log of all websites visited must be kept and the cafe must be designed so that the user's screen is visible at all times.

I guess, in India, privacy is for data, not for users, and that only kids use the 'Net. That comes across as somewhat of a mixed message about the maturity of Indian society.

Disclaimer: Some of the things that go on in Harvard Yard may provide a mixed message about the maturity of some Harvard students, but they outgrow it. In any case, I know of no Harvard opinions on the Indian rules, so the above opinions must be my own.