On 9th August 2017, the Telecom Regulatory Authority of India (TRAI) released a consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) as a step towards developing a robust data protection framework to safeguard consumer interest.
In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders – thirty (30) firms and organisations, nine (9) telecom service providers (TSPs), six (6) associations, four (4) consumer advocacy groups and four (4) individuals – submitted detailed responses.
In a twelve (12) part series of posts, we will map the opinions of all the stakeholders on each question on the basis of their responses to the Consultation Paper.
Are the data protection requirements currently applicable to all the players in the ecosystem in India sufficient to protect the interests of telecom subscribers? What are the additional measures, if any, that need to be considered in this regard?
Broadly, stakeholders fell into one of four categories:
- Those that said existing norms were enough to protect the interests of telecom subscribers;
- Those that said existing norms were inadequate and need to be revisited;
- Those that made suggestions without commenting specifically on the adequacy of the existing framework; and
- Those that did not answer this question.
- 23% of the total respondents said that the current data protection norms are sufficient.
- 62% of the total respondents stated that the current norms need to be revisited.
- 11% of the total respondents did not explicitly affirm or deny the sufficiency of the current norms but provided suggestions.
- 4% of the total respondents provided no response to the question.
Graph illustrating the breakdown of responses
Stakeholders who said existing norms were enough
- ACTO (Association Of Competitive Telecom Operators)
- ASSOCHAM (The Associated Chambers of Commerce of India)
- COAI (Cellular Operators Association of India)
- EBG (European Business Goup) Federation
- Idea Cellular
- MTNL (Mahanagar Telephone Nigam Limited)
- Reliance Jio Infocomm
- Tata Teleservices
- USIBC (US India Business Council)
Stakeholders that said existing norms were not enough and need to be revisited
- Access Now
- Apurv Jain
- Baijayant Jay Panda
- BSNL (Bharat Sanchar Nigam Limited)
- CIS (The Centre for Internet and Society, India)
- Consumer Protection Association
- Consumer’s Guidance Society
- CUTS (Consumer Unity & Trust Society)
- Federation of Consumers and Service Organisation
- GSMA (GSM Association)
- Internet Democracy Project
- Internet Freedom Foundation
- ISPAI (Internet Service Providers Association of India)
- IT for Change
- ITI (Information Technology Industry Council)
- KOAN Advisory
- Mozilla Corporation
- NASSCOM-DSCI (National Association of Software and Services Companies – Data Security Council of India)
- NLU, Delhi (National Law University, Delhi)
- Reliance Communications
- Sangeet Sindan
- in (Sofware Freedom Law Centre)
- Takshashila Foundation
- Telenor India
- USISPF (U.S. India Strategic Partnership Forum)
- Zeotap India
Stakeholders that neither affirmed nor denied the sufficiency of norms but made suggestions
- BIF (Broadband India Forum)
- IAMAI (Internet and Mobile Association of India)
Stakeholders that gave no response to this question
- ACT | The App Association (Association for Competitive Technology)
- BSA | The Software Alliance (Business Software Alliance)
- Disney Broadcasting (India) Ltd
- ISACA (Information Systems Audit and Control Association)
- Span Technologies
- All the civil society organisations (namely, CIS, Consumer Protection Association, Consumer’s Guidance Society, CUTS, Federation of Consumers and Service Organisations, Internet Democracy Project, Internet Freedom Association, IT for Change, sflc.in, and academic institutions such as NLU, Delhi and Takshashila University) were of the opinion that current data protection norms were inadequate for protection of consumer interests and safeguarding their data.
- There was a split amongst industry associations regarding the sufficiency of current data protection requirements. Five (5) said that current norms were sufficient (ACTO, ASSOCHAM, COAI, EGB Federation and USIBC); while five (5) said they were insufficient (GSMA, ISPAI, iSPIRT, ITI Council and USISPF). BIF and IAMAI did not state their opinion on the sufficiency but offered suggestions. ACT, BSA, and ISACA did not provide an answer to this question specifically.
- Telecom Service Providers (TSPs) differed when it came to opining on the sufficiency of the norms; five (5) TSPs stated that the requirements were sufficient (Airtel, Idea, MTNL, Reliance Jio and Tata Teleservices), while four (4) TSPs stated they need to be revisited (BSNL, Reliance Communications, Telenor, and Vodafone). However, all TSPs expressed their desire for uniform norms for all players in the eco-system.
Responses Mapped in the Table
The following table was prepared after an analysis of all fifty-three (53) responses to the Consultation Paper. The table identifies the stances of the stakeholders, dividing them according to where they stand on the sufficiency of the current data protection norms, and it also states the suggestions they have made to the TRAI for the evolution of a framework for the telecom sector in view of the question posed.
The data protection measures are adequate and require no further measures
|Support uniform application of norms on all players.||Airtel||Proposed a principle-based, horizontal data protection law.|
|Reliance Jio Infocomm||Proposed an overarching data protection framework as opposed to sector specific data protection regulations.|
|Suggested an online dispute resolution mechanism for consumers’ complaints pertaining to data protection.|
|Urged for strict implementation of the existing data protection framework.|
|COAI||Recommended identical rules and guidelines for all service providers.|
|Recommended distinguishing between personal information, personally identifiable information, anonymized data and/or aggregated data under the law and/or the regulations.|
|Recommended that a user’s consent should only be required when identifiable data is being shared and not otherwise.|
|The Unified License granted by TRAI is sufficient since it lays down the conditions for data protection.||COAI||–|
|Wary of increased barriers to cross border data flows and a negative effect on the ease of doing business.||ASSOCHAM||–|
|Supports accountability through self-regulation without prescriptions.||AT&T||–|
|Further regulation should only be introduced after evidence of harm to the sector.||ACTO||Recommended an industry consultation before new data protection norms are introduced.|
|Suggested that there is no need for sector-specific regulation.|
|Support adoption of international best practices for regulating the telecom sector.||USIBC||Recommended adoption of best practices as outlined by the Organisation for Economic Co-operation and Development and the Asia Pacific Economic Cooperation’s Cross-Border Privacy Rules.|
|Affirmed the sufficiency of the norms without any elaboration on their stance towards further regulation.||Sigfox||Recommended that encryption requirements should be optional.|
|EBG Federation||Recommended light regulation of the sector, avoiding burdensome compliance requirements.|
|Recommended that there must be adequate justification before the introduction of new norms.|
They need to be revisited.
|Support inclusive norms and clear and expansive definitions of terms such as ‘data’ and ‘information’.||Apurv Jain||Proposed that IP addresses and telephone numbers should be considered personal information.|
|CIS||Recommended that both sensitive and non-sensitive personal information needs to be protected adequately.|
|Sangeet Sindan||Suggested expansion of what constitutes ‘sensitive personal information’ under the law.|
|Consumer’s Guidance Society|
|Exotel||Recommended utilisation of a standardized notice, which provides for different levels of consent for the user.|
|Support uniform application of data protection norms on all players.||Reliance Communications||–|
|Redmorph||Proposed that data protection norms must include those service providers who provide telecom and related services, but are not registered as licensed telecom operators.|
|Access Now||Suggested amendment of the Unified License Agreements.|
|CIS||Proposed regulation of the public sector.|
|Telenor India||Suggested that the prosecution and punishment for violation of data privacy, under a common legislation, should be on the basis of the classification and sensitivity of the data.|
|Zeotap India||Recommended anonymization of personal data before it is shared with a third party.|
|Support adoption of international standards.||iSPIRT||Recommended updating norms to provide for better encryption standards for data transmission, signalling and forwarding.|
|Recommended regular audits of TSPs.|
|Suggested the development of a framework on the applicability of deep packet inspection.|
|Suggested notification of breaches to the users as a mandatory obligation under the framework.|
|Citibank||Suggested implementation of Justice AP Shah Committee Report because it is in line with international standards such as Organisation for Economic Co-operation and Development.|
|sflc.in||Recommended emulation of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011.|
|Consumer’s Guidance Society||Proposed regulation of cross-border data transfer.|
|Reliance Comm. Ltd.|
|Support the constitution of a Privacy Commission or Cross-sectoral Regulator/Enforcement Authority.||ITI||Suggested that data protection requirements should stem from, and be enforced by, an agency or regulatory body which is not sector specific.|
|Support a principle based horizontal application of a technology neutral data protection framework.||Mozilla||Recommended adoption of a sector agnostic framework, instead of a sector specific framework.|
|CIS||Recommended adoption of strengthened norms for all internationally recognised data privacy principles.|
|sflc.in||Suggested that there must be an obligation on the service providers to delete all personal data.|
|Suggested increased encryption standards for bulk data transfer.|
|Proposed that data portability requirements be made mandatory.|
|Consumer Protection Association||–|
|Support recognition of ownership of data.||Takshashila Foundation||Recommended enacting rules for safeguarding against profiling and monitoring.|
|Support a sector specific approach to formulating a data protection framework, where each sector has differing norms.||Consumer’s Guidance Society||Recommended compulsory registration of data handlers and processors.|
|Internet Democracy Project||Recommended adoption of better transparency, increased user choice, and control and redressal mechanisms.|
|Support increased public awareness regarding data privacy.||BSNL||–|
|Proposes balancing the interests of all stakeholders when framing regulations.||ITI||–|
|Supports a harm-based framework on the lines of the European Union’s General Data Protection Regulation.||KOAN||Recommended implementation of clear guidelines with stringent mechanisms.|
|Stated that the present data protection norms are inadequate and provided suggestions, without expressing their stance on further norms.||Internet Freedom Foundation||Suggested that privacy legislation should be in alignment with the ruling in Justice K.S.Puttaswamy (Retd.) v. Union of India.|
|BSNL||Suggested mandatory requirement of proof of compliance with the norms in force from the TSPs.|
|IT for Change||Suggested alteration of consent/contract frameworks as they are too broad, unilateral and leave little choice for consumers.|
|Maybe*||Wary of overregulation.||BIF||Proposed a horizontal data protection law.|
|Recommended adequate implementation mechanism within which a grievance redressal mechanism shall function.|
|Recommended raising awareness about data protection among consumers.|
|TRAI is a sectoral regulator, therefore,
this consultation process is best suited as a feedback to the Ministry of Electronics and Information Technology.
|BIF||Suggested that once a data protection law is enacted, TRAI should review the Indian Telegraph Act, 1885 and related licensing requirements to recommend changes to the Department of Telecommunications.|
|Supports strengthening of existing system.||Federation of Consumer and Service Organizations||Suggested the implementation of Justice A.P. Shah Committee’s recommendations.|
|No Response**||–||BSA | The Software Alliance||–|
|ACT | The App Association|
[This post is authored by Nehaa Chaudhari and Pushan Dwivedi with valuable contributions from Savyasachi, Shubhi, Adyasha and Lokesh, during their internships with TRA].
* The response did not give either a yes or no answer, but provided suggestions.
** The stakeholder chose not to respond to this particular question.