This is the sixth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) published by the Telecom Regulatory Authority of India (TRAI) on 9th August 2017.
In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.
The mapping of stakeholders’ opinion, and the analysis of such mapping, is based on the interpretation of all the responses to the Consultation Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests, and comments, to rectify any such omission(s) or error(s) in this exercise, are duly invited.
“Q.11 What should be the legitimate exceptions to the data protection requirements imposed on TSPs and other providers in the digital ecosystem and how should these be designed? In particular, what are the checks and balances that need to be considered in the context of lawful surveillance and law enforcement requirements?”
The concerns in relation to the legitimate exceptions to data protection requirements, raised by stakeholders in their responses to the abovementioned question 11 of the Consultation Paper, broadly relate to some of the issues discussed in the White Paper of the Committee of Experts on a Data Protection Framework for India (White Paper), namely, legitimate exceptions for national security and lawful surveillance purposes, exemption of de-identified data from the purview of data protection framework, and checks and balances in context of lawful surveillance and law enforcement requirements.
The following table projects the stance of the stakeholders on the grounds of legitimate exceptions to data protection requirements.
| Categories of Stakeholders | Should the legitimate exceptions to data protection requirements be restricted to critical purposes such as national security or law enforcement requirements? | |||
| Yes (14) | No (5) | Maybe (7) | No answer (27) | |
| Industry Associations – 16*
(IAMAI, ACTO, ASSOCHAM, COAI, GSMA, ISPAI, NASSCOM-DSCI, USISPF, ITI, USIBC, BSA, EBG, BIF, ACT, ISACA, iSPIRT) |
4
IAMAI ASSOCHAM ISACA, NASSCOM-DSCI |
— |
4
ACTO ISPAI BSA BIF |
8
COAI GSMA ACT USISPF iSPIRT USIBC EBG ITI |
| Telecom Service Providers (TSPs) – 10**
(AT&T, RJIL, Bharti Airtel Ltd., Idea Cellular Ltd., MTNL, RCOM, TTL, BSNL, Telenor, Vodafone)
|
4
RJIL MTNL BSNL RCOM |
1
Telenor |
2
AT&T Idea Cellular Ltd. |
3
Bharti Airtel Ltd. TTL Vodafone |
| Civil Society Organisations/ Think Tanks – 12***
(NLUD, IDP, CIS, ITfC, SFLC, FCSO, CUTS, CGS, CPA, Takshashila Institution, Access Now, IFF)
|
2
CGS CIS |
3
NLUD SFLC CPA |
— | 7
Takshashila Institution IFF IDP ITfC FCSO CUTS Access Now |
| Individuals – 3
(Sangeet Sindan, Baijayant Jay Panda, Apurv Jain)
|
1
Apurv Jain |
— | — | 2
Sangeet Sindan Baijayant Jay Panda |
| Companies/Firms – 12
(SPAN Technologies, TRA, Zeotap Pvt. Ltd., IBM, Make My Trip, Sigfox, Exotel, Mozilla, Citibank, Disney India, KOAN, Redmorph)
|
3
KOAN Citibank Mozilla |
1
Sigfox |
1
SPAN Technologies |
7
Make My Trip TRA Zeotap Pvt. Ltd. IBM Exotel Disney India Redmorph |
*Industry Associations: IAMAI – Internet & Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, ACT – Association for Competitive Technology, ASSOCHAM – Associated Chambers of Commerce and Industry of India, COAI – Cellular Operators Association of India, GSMA – Groupe Speciale Mobile Association, ISPAI – Internet Service Providers Association of India, NASSCOM-DSCI – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, ITI – Information Technology Industry Council, USIBC – US India Business Council, BSA – Business Software Alliance, EBG – European Business Group Federation, BIF – Broadband India Forum, ISACA – Information Systems Audit and Control Association, iSPIRIT – Indian Software Product Industry Round Table.
**Telecom Service Providers: AT&T Global Network Services India Pvt. Ltd., RJIL – Reliance Jio Infocomm Limited, MTNL – Mahanagar Telephone Nigam Limited, TTL – Tata Teleservices Limited, BSNL – Bharat Sanchar Nigam Limited, RCOM – Reliance Communications Ltd.
***Civil Society Organisations/ Think Tanks: NLUD – National Law University, Delhi, IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, ITfC – IT for Change, SFLC – Software Freedom Law Centre, FCSO – Federation of Consumer and Service Organization, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IFF – Internet Freedom Foundation.
The following table projects the stance of the stakeholders on an exclusion of anonymized data from the purview of data protection requirements.
| Categories of Stakeholders | Should anonymized data be excluded from the purview of data protection requirements? | |||
| Yes (8) | No (1) | Maybe (1) | No answer (43) | |
| Industry Associations – 16*
(IAMAI, ACTO, ASSOCHAM, COAI, GSMA, ISPAI, NASSCOM-DSCI, USISPF, ITI, USIBC, BSA, EBG, BIF, ACT, ISACA, iSPIRT) |
3
COAI USISPF EBG |
1
ASSOCHAM |
— | 12
IAMAI ACTO GSMA ISPAI NASSCOM-DSCI ACT ISACA ITI iSPIRT USIBC BSA BIF |
| Telecom Service Providers (TSPs) – 10**
(AT&T, RJIL, Bharti Airtel Ltd., Idea Cellular Ltd., MTNL, RCOM, TTL, BSNL, Telenor, Vodafone)
|
3
RJIL Vodafone RCOM |
— | — | 7
AT&T Bharti Airtel Ltd. Idea Cellular Ltd. MTNL TTL BSNL Telenor |
| Civil Society Organisations/ Think Tanks – 12***
(NLUD, IDP, CIS, ITfC, SFLC, FCSO, CUTS, CGS, CPA, Takshashila Institution, Access Now, IFF)
|
1
SFLC |
— | — | 11
NLUD Takshashila Institution Access Now IFF IDP CIS ITfC FCSO CUTS CGS CPA |
| Individuals – 3
(Sangeet Sindan, Baijayant Jay Panda, Apurv Jain)
|
— | — | — | 3
Sangeet Sindan Baijayant Jay Panda Apurv Jain |
| Companies/Firms – 12
(SPAN Technologies, TRA, Zeotap Pvt. Ltd., IBM, Make My Trip, Sigfox, Exotel, Mozilla, Citibank, Disney India, KOAN, Redmorph)
|
1
Zeotap Pvt. Ltd. |
— | 1
KOAN |
10
SPAN Technologies TRA IBM Make My Trip Sigfox Exotel Mozilla Citibank Disney India Redmorph |
The following table projects the stance of the stakeholders on judicial interventions and oversight for surveillance and lawful access to personal data.
| Categories of Stakeholders | Should there be provisions for judicial interventions and oversight for surveillance and lawful access to data? | |||
| Yes (12) | No (0) | Maybe (1) | No answer (40) | |
| Industry Associations – 16*
(IAMAI, ACTO, ASSOCHAM, COAI, GSMA, ISPAI, NASSCOM-DSCI, USISPF, ITI, USIBC, BSA, EBG, BIF, ACT, ISACA, iSPIRT) |
6
ACTO NASSCOM-DSCI iSPIRT USIBC BSA BIF |
—- | 1
GSMA |
9
IAMAI ASSOCHAM COAI ISPAI ACT ISACA USISPF ITI EBG |
| Telecom Service Providers (TSPs) – 10**
(AT&T, RJIL, Bharti Airtel Ltd., Idea Cellular Ltd., MTNL, RCOM, TTL, BSNL, Telenor, Vodafone)
|
2
AT&T Telenor |
— | — | 8
RJIL Bharti Airtel Ltd. Idea Cellular Ltd. MTNL RCOM TTL BSNL Vodafone |
| Civil Society Organisations/ Think Tanks – 12***
(NLUD, IDP, CIS, ITfC, SFLC, FCSO, CUTS, CGS, CPA, Takshashila Institution, Access Now, IFF)
|
3
Takshashila Institution CIS CGS |
— | — | 9
NLUD Access Now IFF IDP ITfC SFLC FCSO CUTS CPA |
| Individuals – 3
(Sangeet Sindan, Baijayant Jay Panda, Apurv Jain)
|
1
Sangeet Sindan |
— | — | 2
Baijayant Jay Panda Apurv Jain |
| Companies/Firms – 12
(SPAN Technologies, TRA, Zeotap Pvt. Ltd., IBM, Make My Trip, Sigfox, Exotel, Mozilla, Citibank, Disney India, KOAN, Redmorph)
|
— | — | — | 12
SPAN Technologies TRA Zeotap Pvt. Ltd. IBM Make My Trip Sigfox Exotel KOAN Mozilla Citibank Disney India Redmorph |
INSIGHTS
Should the legitimate exceptions to data protection requirements be restricted to critical purposes such as national security or law enforcement requirements?
- 26.4% of the stakeholders, comprising 25% of the industry associations, 40% of TSPs, 16.7% of civil society organisations/think tanks, 33.3% of individuals and 25% of companies/firms, stated that the legitimate exceptions to data protection requirements should be restricted to critical purposes such as national security and law enforcement requirements.
- 9.4% of the stakeholders, comprising 10% of TSPs, 25% of civil society organisations/think tanks and 8.3% of companies/firms, stated that the legitimate exceptions to data protection requirements should not be restricted to critical purposes such as national security and law enforcement requirements.
- 13.2% of the stakeholders, comprising 25% of the industry associations, 20% of TSPs and 8.3% of companies/firms, did not provide a clear stance on whether the legitimate exceptions to data protection requirements should be restricted to critical purposes such as national security and law enforcement requirements.
- 50.9% of the stakeholders, comprising 50% of the industry associations, 30% of TSPs, 58.3% of civil society organisations/think tanks, 66.7% of individuals and 58.3% of companies/firms, did not comment on whether the legitimate exceptions to data protection requirements should be restricted to critical purposes such as national security and law enforcement requirements.
Should anonymized data be excluded from the purview of data protection requirements?
- 15.1% of the stakeholders, comprising 18.8% of the industry associations, 30% of TSPs, 8.3% of civil society organisations/think tanks and 8.3% of companies/firms, stated that anonymized data should be excluded from the purview of data protection requirements.
- 1.9% of the stakeholders, comprising 6.3% of the industry associations, stated that anonymized data should not be excluded from the purview of data protection requirements.
- 1.9% of the stakeholders, comprising 8.3% of companies/firms, did not provide a clear stance on whether anonymized data should be excluded from the purview of data protection requirements.
- 81.1% of the stakeholders, comprising 75% of the industry associations, 70% of TSPs, 91.7% of civil society organisations/think tanks, 100% of individuals and 83.3% of companies/firms, did not comment on whether anonymized data should be excluded from the purview of data protection requirements.
Should there be provisions for judicial interventions and oversight for surveillance and lawful access to data?
- 22.6% of the stakeholders, comprising 37.5% of the industry associations, 20% of TSPs, 25% of civil society organisations/think tanks and 33.3% of individuals, stated that there should be provisions for judicial interventions and oversight for surveillance and lawful access to data.
- 1.9% of the stakeholders, comprising 6.3% of the industry associations, did not provide a clear stance on whether there should be provisions for judicial interventions and oversight for surveillance and lawful access to data.
- 75.5% of the stakeholders, comprising 56.3% of the industry associations, 80% of TSPs, 75% of civil society organisations/think tanks, 66.7% of individuals and 100% of companies/firms, did not comment on whether there should be provisions for judicial interventions and oversight for surveillance and lawful access to data.
Detailed Mapping of Responses
A detailed mapping of the responses of all the fifty-three (53) stakeholders, including the stances of the stakeholders, their response to question eleven (11) of the Consultation Paper and the suggestions they have made to the TRAI in view of the question, is available here.
[This post is authored by Varsha Rao, a fifth-year undergraduate student of NLU, Delhi under the supervision of Pushan Dwivedi (Associate, TRA) during her internship with TRA].
