title:

India: Data privacy: yes, adults: no, Internet privacy: no

By: Scott Bradner

India has just approved three new information technology rules (http://www.mit.gov.in/sites/upload_files/dit/files/GSR3_10511(1).pdf). One, titled "Reasonable security practices and procedures and sensitive personal data or information," will impact many US companies who outsource some of their IT operations to India. Another, titled " Intermediaries guidelines," covers India-based ISPs and other companies who transport Internet data but who do not manage or edit the data and, among other things, assumes there are no adult users of the Internet in India. The third, titled "Guidelines for Cyber Cafe," tries to ensure that users of cyber cafe's in India have no privacy.

The Reasonable security practices and procedures and sensitive personal data or information set of rules is of most interest to US companies. The rules define what is to be considered "sensitive personal information." These include passwords, financial account numbers (including credit cards) medical or mental health information, sexual orientation and biometric information. Any one dealing with such information must establish a public privacy policy explaining what information is collected and why it is collected. Such data collection can only be done with the knowledge of the subject of the information. Only the information actually needed for the stated purpose can be collected and it must only be kept for as long as needed for that purpose. Many of these provisions are also in the recent Kerry/McCain "Commercial Privacy Bill of Rights Act of 2011" (http://kerry.senate.gov/imo/media/doc/Commercial Privacy Bill of Rights Text.pdf) so it is possible that US residents may have some of the same protections, but don't hold your breath. The Indian rules also require that "reasonable" security practices and procedures are to be followed to protect the information and that IS/ISO/IEC 27001 is an example of such reasonable practices.

The Indian rules seems to be written to cover data gathered by Indian companies from anywhere in the world, even if the Indian company is working for a company in the US and only collecting information about US residents. Many US companies outsourcing some of their IT operations to India may have to upgrade their systems and practices if the rules are interpreted this way

The other two sets of rules pertain to Indian "intermediaries" and "cyber cafes." Both sets of rules are rather strict. The intermediaries rule provides a long list of what types of Information Internet users cannot "host, display, upload, modify, publish, transmit, update or share." The list includes the normal suspects of obscene, pornographic, libelous, and copyright violations. But it also includes a prohibition of information that could "harm minors in any way." This clause prevents adults from talking to adults over the Internet about topics that someone might think harmful to a minor, such as a 5-year old. I guess the Indian authorities think that there are no adults in India.

The cyber cafe rules seem designed to ensure that cafe users have no privacy at all. The cafe operator must maintain a list of all users and forward the list to the authorities monthly. A log of all websites visited must also be kept and the cafe must be designed so that the user's screen is visible at all times.

I guess, in India, privacy is for data, not for users and only kids use the net. That comes across as somewhat of a mixed message about the maturity of Indian society.

disclaimer: Some of the things that go on in Harvard Yard may provide a mixed message about the maturity of some Harvard students, but they outgrow it. In any case, I know of no Harvard opinions on the Indian rules so the above opinions must be my own.