How is Uid helping the Indian government

Keyword: India

India: Biometric registration of all residents

According to media reports, India's government is planning to record all residents - including biometrics - as part of the Aadhar project and assign each one a personal number (Unique Identification, UID). In the next four years 600 million Indians are to be provided with UIDs. The plan is to expand this to all 1.2 billion people in India. The Unique Identification Authority of Inida (UIDAI), established for the project last year, is responsible for process control.

The government of India wanted to enable the clear and unambiguous identification of all citizens for the first time in the country's history. Above all, immigrants, the poor or the rural population should benefit from this, as only clear identification helps them to do banking, apply for social assistance or receive a school education. Critics, on the other hand, should classify the project as a “snap shot” and especially see data protection problems. The relevant draft law contains, for example, various weak points with regard to avoiding unauthorized use of personal data.

 

India demands confirmation from the EU

As The Economist Times reports, New Delhi has asked the EU to add India to the ranks of safe third countries with an adequate level of data protection. This status enables the countries to dispense with the standard contractual clauses of the EU, which are difficult to enforce in practice.

So far, EU countries have not been allowed to transfer sensitive personal data to India without further ado. This hampers services such as telemedicine, for example, and restricts the overall movement of services.

In India, they refer to improvements in domestic data protection laws, which are now supposed to guarantee a high level of data security. From the USA there is already the unhindered possibility to transfer sensitive data to India and to outsource services. The advantage for India to grow in the respective branches of the economy is great if only the EU declares India a safe country in terms of data protection. The EU should not only focus on conformity with its own rules. Even if India made different regulations, these could be assessed as conforming to the level and guarantee adequate data protection.

Apple, RIM and Nokia are to allow Indian secret service access to customer e-mails

The hacker group The Lords of Dharmaraja has published a number of documents which, according to media reports, show that Apple, Nokia and Research in Motion (RIM) have entered into contracts with an Indian secret service that allow the monitoring of customer e-mails. This is said to have been a condition for access to the Indian market. One of the letters shows that in addition to the companies named, all important device manufacturers have concluded such an agreement. Another document should also show that an email from the U.S.-China Economic and Security Review Commission (USCC), which deals with economic and security issues in relations between the USA and China, was also read via this interface. According to Reuters, USCC officials are reviewing the situation and are currently unable to comment further.

According to this Reuters article, Apple spokeswoman Trudy Muller denied that Apple had integrated a back door for the Indian government into its products. An Indian RIM spokesman told Reuters that rumors will not be commented on and Nokia declined to comment. In the past, RIM had to grant India as well as Saudi Arabia and the United Arab Emirates access to certain encrypted parts of its BlackBerry system in order not to be excluded from these markets.

The plausibility of the reports is supported by the fact that the hackers from The Lords of Dharmaraja were recently able to steal source code from the security specialist Symantec without any doubt. With regard to this source code, too, there are some indications that it could have come from Indian government servers. (se)

Order data processing in India not affected by new data protection rules

As expected in advance, the Indian government reacted to the continued criticism from the business community regarding the 43a IT Act. In a communication dated August 24, 2011 it is now made clear that the challenged rules are only applicable to Indian companies that are in a direct contractual relationship with a natural person. It is also explicitly stated that the rules are not applicable if there is an order data processing relationship with an Indian company.

Companies that have outsourced their data processing to India are therefore unlikely to be affected by the new regulation. (se)

Consequences of sharing cloud data with US authorities

As already reported, Microsoft has openly admitted that it may have to pass on data from its Office 365 service stored in Europe to US authorities.

The German supervisory authorities immediately showed a reaction: After a report from heise online, Dr. Thilo Weichert from the Independent State Center for Data Protection Schleswig Holstein (ULD) contradicts European data protection law in such a data transfer from the EU area. A threatened access by US authorities would call the confidentiality of the stored data into question and thus remove the basis for existing contracts for data processing. Based on this, both a special right of termination can be derived and it can be determined that Microsoft is retiring as a provider of cloud solutions such as Office 365 and Windows Azure for personal IT services. Another alternative would be to purchase Office 365 from T-Systems, as this provider assures its users that the data will only be stored on servers “under their own control”.

This shows once again that the field of cloud computing is still legally a minefield in terms of data protection. (se)

Update:

There has now also been a reaction from the EU Commission: Matthew Newman, the press spokesman for EU Commissioner Viviane Reding, who is responsible for legal, fundamental rights and citizenship issues, has spoken to CHIP Online about the transfer of data to the USA under the Patriot Act . According to his understanding, "any transfer of personal data to third countries (...) must adhere to the basic principles of data protection in the EU". If a third country wants to gain access to data from the EU area, this presupposes “using the established official communication channels between public offices”.

In order to finally settle the problem, Newman believes it is essential to "reach an all-encompassing agreement between the EU and the US on the common data protection principles to protect the personal data that is exchanged in the context of the fight against crime and terrorism." (se)

India is responding to protests against the new data protection regulations

It seems that India is reacting to the continued criticism from the business world, which expects rising costs and a lack of acceptance for India as a data processing location as a result of the 43a IT Act.

Kamlesh Bajaj, CEO of the DSCI (Data Security Council of India), announced that the government wants to clarify with the help of an amendment within the next 2-3 weeks that the strict rules regarding the written consent only apply to the collection of the Data from Indian customers are decisive. In his statement, he explicitly emphasized that companies that relocate their data processing to India do not need to obtain written consent from people outside India before collecting their data. Thus, from his point of view, concerns about rising costs are unfounded. (se)

 

India plans Right to Privacy Bill

The Indian government is planning a new law that will introduce substantial sanctions, including the withdrawal of licenses from telecommunications providers, for illegally tapping and publishing telephone conversations.

The draft law (Right to Privacy Bill) also provides that an authority (Data Protection Authority of India, DPAI) should monitor compliance with data protection regulations, receive complaints about alleged violations of data protection regulations and investigate such cases.

While illegal espionage or the interception of information should result in a prison sentence of up to five years and a fine of INR 100,000 (approx. € 1,550), people who participate in the dissemination of communication content or other personal information obtained in this way should receive a prison sentence of up to three Years and a fine of up to 50,000 INR (approx. € 770).

The law is also not intended to exempt government employees. If a ministry violates the law, the head of the authority should be punished and liable unless he proves that the violation occurred without his knowledge or he took all necessary safety measures to prevent such an act.

After India barely paid any attention to data protection for a very long time, it can be stated that data protection awareness there has increased considerably and a comparatively large number of measures have been taken or at least discussed recently.

Data protection in the Philippines

At first glance, the Philippines are not a country that is of particular importance for German economic relations. In view of globalization, especially in the area of ​​order data processing, it is also worth taking a look at supposed geographical marginal areas. After the new, strict data protection regulations in India have already caused some discussion both there and abroad, the area of ​​data protection is now also attracting increased attention in other areas of Asia such as the Philippines. Here, too, the starting point is less the protection of privacy than economic reasons. Potential investors, especially from the USA and Europe, are deterred by inadequate data protection precautions and a positive development for the BPO sector (Business Process Outsourcing), which plays a significant role in the employment sector in the Philippines, is prevented. In particular, the problem of "data theft" is a risk factor there.

In order to at least mitigate these concerns from abroad, various data protection-related laws, the Data Protection Act, the Act to Establish a Ministry for Information and Communication Technology (DICT) and the Act to Prevent Internet Crime are to be passed. Despite discussions that have already taken place, the final approval is still pending.

Even if the draft law for the data protection act primarily favors the BPO industry, it is also intended to protect private individuals whose personal data is stored by authorities or companies. If the draft is passed, no body, regardless of whether it is a state authority or a private company, is likely to pass on personal information from customers or citizens without the prior consent of those concerned.

It remains to be seen how much the data protection level in developing and emerging countries will increase in the near future. In any case, it should be noted that the higher, if not necessarily sufficient, data protection regulations of the industrialized nations have a noticeable impact on data protection awareness in other countries. Ultimately, however, the technical component should not be forgotten in data protection. After all, regardless of the level of protection provided by the law, it was only recently that successful hackers' attacks on Sony or Nintendo showed how vulnerable even the systems of global corporations are, which, due to the financial resources, actually have a special level of security in both legal and technical terms Area should be able to go out.

 

International Computing - India Challenges for CIOs in applying the new rules

The new data protection law in India also brings new challenges for CIOs whose companies have offices in India or who operate outsourcing projects there, as the Indian data protection rules apply to all organizations and companies that collect or process personal data and information in India including such personal data collected outside of India.

Many of the new legal regulations are comparable to those of the EU or the USA. However, the new Indian Data Protection Act also contains requirements that are much stricter, such as the obligation to collect and process special personal data only with the prior written consent of the person concerned.

Although the Indian data protection rules are intended to support and promote the development of India as a hub of global data processing, CIOs will nevertheless be faced with the task of adapting previously established processes to the new legal requirements.

 

International data processing - first protests against new regulations in Indian data protection

The changes in Indian data protection law are now showing their first effects on companies in the USA. Various American companies and also some Indian companies that fear for their business relationships consider the written consent of a person, which is now required before their personal data can be collected and used, to be far too restrictive. It is feared that many companies are not prepared to take the risk that a customer who receives an express request from India whether his data may be stored and used there will refuse to give his consent. Instead, companies would then rather outsource their business to China or the Philippines, where such regulations do not apply. Google also protests against some passages from the new law, according to which an Internet provider is held responsible for content that is to be regarded as “harassing”, “grossly harmful” or “ethnically reprehensible”.

The Indian minister for information technology defended the law by saying that it complied with a long-term request from the IT industry to finally create a legal framework for data protection. In any case, some American companies also advocated the direction of the law, as it would strengthen trust abroad with regard to outsourced data processing in India.

Whether and how long the law will remain in place in its current form will ultimately depend largely on the question of how strong the pressure from abroad will be. Since India is extremely dependent on the IT and outsourcing industry, excessive protests and threats to withdraw from companies in this area could well lead to a change in the law.