Stakeholder's Responses to the TRAI Privacy Consultation Paper: Part I of XII – Data Protection Norms

On 9th August 2017, the Telecom Regulatory Authority of India (TRAI) released a consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) as a step towards developing a robust data protection framework to safeguard consumer interest.

In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders – thirty (30) firms and organisations, nine (9) telecom service providers (TSPs),  six (6) associations, four (4) consumer advocacy groups and four (4) individuals – submitted detailed responses.

In a twelve (12) part series of posts, we will map the opinions of all the stakeholders on each question on the basis of their responses to the Consultation Paper.

Comments of all stakeholders are available here.  Our comments to the Consultation Paper are available here.

Question 1

Are the data protection requirements currently applicable to all the players in the ecosystem in India sufficient to protect the interests of telecom subscribers? What are the additional measures, if any, that need to be considered in this regard?

Broadly, stakeholders fell into one of four categories:

  1. Those that said existing norms were enough to protect the interests of telecom subscribers;
  2. Those that said existing norms were inadequate and need to be revisited;
  3. Those that made suggestions without commenting specifically on the adequacy of the existing framework; and
  4. Those that did not answer this question.

 INSIGHTS

  • 23% of the total respondents said that the current data protection norms are sufficient.
  • 62% of the total respondents stated that the current norms need to be revisited.
  • 11% of the total respondents did not explicitly affirm or deny the sufficiency of the current norms but provided suggestions.
  • 4% of the total respondents provided no response to the question.

 

Graph illustrating the breakdown of responses

Stakeholders who said existing norms were enough

  1. ACTO (Association Of Competitive Telecom Operators)
  2. Airtel
  3. ASSOCHAM (The Associated Chambers of Commerce of India)
  4. AT&T
  5. COAI (Cellular Operators Association of India)
  6. EBG (European Business Goup) Federation
  7. Idea Cellular
  8. MTNL (Mahanagar Telephone Nigam Limited)
  9. Reliance Jio Infocomm
  10. Sigfox
  11. Tata Teleservices
  12. USIBC (US India Business Council)


Stakeholders that said existing norms were not enough and need to be revisited

  1. Access Now
  2. Apurv Jain
  3. Baijayant Jay Panda
  4. BSNL (Bharat Sanchar Nigam Limited)
  5. CIS (The Centre for Internet and Society, India)
  6. Citibank
  7. Consumer Protection Association
  8. Consumer’s Guidance Society
  9. CUTS (Consumer Unity & Trust Society)
  10. Exotel
  11. Federation of Consumers and Service Organisation
  12. GSMA (GSM Association)
  13. IBM
  14. Internet Democracy Project
  15. Internet Freedom Foundation
  16. ISPAI (Internet Service Providers Association of India)
  17. iSPIRT
  18. IT for Change
  19. ITI (Information Technology Industry Council)
  20. KOAN Advisory
  21. MakeMyTrip
  22. Mozilla Corporation
  23. NASSCOM-DSCI (National Association of Software and Services Companies – Data Security Council of India)
  24. NLU, Delhi (National Law University, Delhi)
  25. Redmorph
  26. Reliance Communications
  27. Sangeet Sindan
  28. in (Sofware Freedom Law Centre)
  29. Takshashila Foundation
  30. Telenor India
  31. USISPF (U.S. India Strategic Partnership Forum)
  32. Vodafone
  33. Zeotap India

 

Stakeholders that neither affirmed nor denied the sufficiency of norms but made suggestions

  1. BIF (Broadband India Forum)
  2. IAMAI (Internet and Mobile Association of India)

Stakeholders that gave no response to this question

 

  1. ACT | The App Association (Association for Competitive Technology)
  2. BSA | The Software Alliance (Business Software Alliance)
  3. Disney Broadcasting (India) Ltd
  4. ISACA (Information Systems Audit and Control Association)
  5. Span Technologies
  6. TRA

 

Observations

  • All the civil society organisations (namely, CIS, Consumer Protection Association, Consumer’s Guidance Society, CUTS, Federation of Consumers and Service Organisations, Internet Democracy Project, Internet Freedom Association, IT for Change, sflc.in, and academic institutions such as NLU, Delhi and Takshashila University) were of the opinion that current data protection norms were inadequate for protection of consumer interests and safeguarding their data.
  • There was a split amongst industry associations regarding the sufficiency of current data protection requirements. Five (5) said that current norms were sufficient (ACTO, ASSOCHAM, COAI, EGB Federation and USIBC); while five (5) said they were insufficient (GSMA, ISPAI, iSPIRT, ITI Council and USISPF). BIF and IAMAI did not state their opinion on the sufficiency but offered suggestions. ACT, BSA, and ISACA did not provide an answer to this question specifically.
  • Telecom Service Providers (TSPs) differed when it came to opining on the sufficiency of the norms; five (5) TSPs stated that the requirements were sufficient (Airtel, Idea, MTNL, Reliance Jio and Tata Teleservices), while four (4) TSPs stated they need to be revisited (BSNL, Reliance Communications, Telenor, and Vodafone). However, all TSPs expressed their desire for uniform norms for all players in the eco-system.

Responses Mapped in the Table

The following table was prepared after an analysis of all fifty-three (53) responses to the Consultation Paper. The table identifies the stances of the stakeholders, dividing them according to where they stand on the sufficiency of the current data protection norms, and it also states the suggestions they have made to the TRAI for the evolution of a framework for the telecom sector in view of the question posed.

 

Answer Stance Stakeholder Suggestions

 

Yes

 

The data protection measures are adequate and require no further measures

 Support uniform application of norms on all players. Airtel Proposed a principle-based, horizontal data protection law.
Reliance Jio Infocomm Proposed an overarching data protection framework as opposed to sector specific data protection regulations.
MTNL

 

 Suggested an online dispute resolution mechanism for consumers’ complaints pertaining to data protection.
Urged for strict implementation of the existing data protection framework.
COAI Recommended identical rules and guidelines for all service providers.
Recommended distinguishing between personal information, personally identifiable information, anonymized data and/or aggregated data under the law and/or the regulations.
Recommended that a user’s consent should only be required when identifiable data is being shared and not otherwise.
Tata Teleservices
Idea Cellular
AT&T
The Unified License granted by TRAI is sufficient since it lays down the conditions for data protection. COAI
ACTO
AT&T
Wary of increased barriers to cross border data flows and a negative effect on the ease of doing business. ASSOCHAM
Supports accountability through self-regulation without prescriptions. AT&T
Further regulation should only be introduced after evidence of harm to the sector. ACTO Recommended an industry consultation before new data protection norms are introduced.
Suggested that there is no need for sector-specific regulation.
Support adoption of international best practices for regulating the telecom sector. USIBC Recommended adoption of best practices as outlined by the Organisation for Economic Co-operation and Development and the Asia Pacific Economic Cooperation’s Cross-Border Privacy Rules.
ASSOCHAM
AT&T
Affirmed the sufficiency of the norms without any elaboration on their stance towards further regulation. Sigfox Recommended that encryption requirements should be optional.
EBG Federation Recommended light regulation of the sector, avoiding burdensome compliance requirements.
Recommended that there must be adequate justification before the introduction of new norms.

 

No

 

They need to be revisited.

 Support inclusive norms and clear and expansive definitions of terms such as ‘data’ and ‘information’. Apurv Jain Proposed that IP addresses and telephone numbers should be considered personal information.
CIS Recommended that both sensitive and non-sensitive personal information needs to be protected adequately.
Sangeet Sindan Suggested expansion of what constitutes ‘sensitive personal information’ under the law.
Consumer’s Guidance Society
Exotel Recommended utilisation of a standardized notice, which provides for different levels of consent for the user.
Support uniform application of data protection norms on all players. Reliance Communications
Vodafone
Redmorph Proposed that data protection norms must include those service providers who provide telecom and related services, but are not registered as licensed telecom operators.
Access Now Suggested amendment of the Unified License Agreements.
CIS Proposed regulation of the public sector.
Recommended strengthening of privacy policy requirements.
Telenor India Suggested that the prosecution and punishment for violation of data privacy, under a common legislation, should be on the basis of the classification and sensitivity of the data.
Zeotap India Recommended anonymization of personal data before it is shared with a third party.
Support adoption of international standards. iSPIRT Recommended updating norms to provide for better encryption standards for data transmission, signalling and forwarding.
Recommended regular audits of TSPs.
Suggested the development of a framework on the applicability of deep packet inspection.
Suggested notification of breaches to the users as a mandatory obligation under the framework.
Citibank Suggested implementation of Justice AP Shah Committee Report because it is in line with international standards such as Organisation for Economic Co-operation and Development.
sflc.in Recommended emulation of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011.
Consumer’s Guidance Society Proposed regulation of cross-border data transfer.
Access Now
Sangeet Sindan
Reliance Comm. Ltd.
Vodafone
Support the constitution of a Privacy Commission or Cross-sectoral Regulator/Enforcement Authority. ITI Suggested that data protection requirements should stem from, and be enforced by, an agency or regulatory body which is not sector specific.
Access Now
NASSCOM-DSCI
Sangeet Sindan
Support a principle based horizontal application of a technology neutral data protection framework. Mozilla Recommended adoption of a sector agnostic framework, instead of a sector specific framework.
GSMA
ISPAI
CIS Recommended adoption of strengthened norms for all internationally recognised data privacy principles.
sflc.in Suggested that there must be an obligation on the service providers to delete all personal data.
Suggested increased encryption standards for bulk data transfer.
Proposed that data portability requirements be made mandatory.
Consumer Protection Association
NASSCOM-DSCI
USISPF
Support recognition of ownership of data. Takshashila Foundation Recommended enacting rules for safeguarding against profiling and monitoring.
CUTS
Sangeet Sindan
Support a sector specific approach to formulating a data protection framework, where each sector has differing norms. Consumer’s Guidance Society Recommended compulsory registration of data handlers and processors.
Internet Democracy Project Recommended adoption of better transparency, increased user choice, and control and redressal mechanisms.
NLU, Delhi
MakeMyTrip
Support increased public awareness regarding data privacy. BSNL
CUTS
Proposes balancing the interests of all stakeholders when framing regulations. ITI
Supports a harm-based framework on the lines of the European Union’s General Data Protection Regulation. KOAN Recommended implementation of clear guidelines with stringent mechanisms.
Stated that the present data protection norms are inadequate and provided suggestions, without expressing their stance on further norms. Internet Freedom Foundation Suggested that privacy legislation should be in alignment with the ruling in Justice K.S.Puttaswamy (Retd.) v. Union of India.
BSNL Suggested mandatory requirement of proof of compliance with the norms in force from the TSPs.
IT for Change Suggested alteration of consent/contract frameworks as they are too broad, unilateral and leave little choice for consumers.
IBM
Baijayant Panda
Maybe* Wary of overregulation. BIF Proposed a horizontal data protection law.
Recommended adequate implementation mechanism within which a grievance redressal mechanism shall function.
Recommended raising awareness about data protection among consumers.
TRAI is a sectoral regulator, therefore,

this consultation process is best suited as a feedback to the Ministry of Electronics and Information Technology.

 BIF Suggested that once a data protection law is enacted, TRAI should review the Indian Telegraph Act, 1885 and related licensing requirements to recommend changes to the Department of Telecommunications.
IAMAI
Supports strengthening of existing system. Federation of Consumer and Service Organizations Suggested the implementation of Justice A.P. Shah Committee’s recommendations.
No Response** BSA | The Software Alliance
Disney India
ISACA
ACT | The App Association
Span Technology
TRA

 

 

[This post is authored by Nehaa Chaudhari and Pushan Dwivedi with valuable contributions from Savyasachi, Shubhi, Adyasha and Lokesh, during their internships with TRA].

* The response did not give either a yes or no answer, but provided suggestions.

** The stakeholder chose not to respond to this particular question.

 

RELATED WRITING

Challenge
the status quo

Sparking Curiosity...