Stakeholders’ responses to the TRAI privacy consultation paper (Part IV of XII): Rights, responsibilities, regulation and governance of data controllers

This is the fourth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) published by the Telecom Regulatory Authority of India (TRAI) on 9th August, 2017.

In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.

The mapping of stakeholders’ opinion, and the analysis of such mapping, is based on the interpretation of all the responses to the Consultation Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests, and comments, to rectify any such omission(s) or error(s) in this exercise, are duly invited.

“Q.3 What should be the Rights and Responsibilities of the Data Controllers? Can the Rights of Data Controller supersede the Rights of an Individual over his/her Personal Data? Suggest a mechanism for regulating and governing the Data Controllers”.

The concerns in relation to the rights, responsibilities and governance of the data controllers, raised by stakeholders in their responses to abovementioned question 3 of the Consultation Paper, broadly correspond to the issues raised in part III and part IV of the White Paper of the Committee of Experts on a Data Protection Framework for India (White Paper). Part III engaged with a number of issues on the rights and responsibilities of the data controllers including permissible grounds of processing, such as consent and legitimate purpose, necessity and design of notice, and international practices. Part IV dealt with a diverse range of issues in relation to accountability and enforcement tools including voluntary and co-regulatory models of regulation, establishment and functioning of data protection authority and codes of practice. The mapping of stakeholders’ opinion, and the analysis of such mapping, has been conducted in context of the issues raised under Part III and part IV of the White Paper, particularly the concerns related to the rights and responsibilities of the data controllers, prioritization of rights of the data subject, and effective accountability and enforcement tools.

The following table projects the stance of the stakeholders on whether the rights of data controller should supersede the rights of an individual over his/her personal data?

*Industry Associations: IAMAI – Internet & Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, ACT – Association for Competitive Technology, ASSOCHAM – Associated Chambers of Commerce and Industry of India, COAI – Cellular Operators Association of India, GSMA – Groupe Speciale Mobile Association, ISPAI – Internet Service Providers Association of India, NASSCOM-DSCI – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, ITI – Information Technology Industry Council, USIBC – US India Business Council, BSA – Business Software Alliance, EBG – European Business Group Federation, BIF – Broadband India Forum, ISACA – Information Systems Audit and Control Association, iSPIRIT – Indian Software Product Industry Round Table.

**Telecom Service Providers: AT&T Global Network Services India Pvt. Ltd., RJIL – Reliance Jio Infocomm Limited, MTNL – Mahanagar Telephone Nigam Limited, TTL – Tata Teleservices Limited, BSNL – Bharat Sanchar Nigam Limited.

***Civil Society Organisations/ Think Tanks: NLUD – National Law University, Delhi,  IDP – Internet Democracy Project, CIS – The Centre for Internet & Society, ITfC – IT for Change, SFLC – Software Freedom Law Centre, FCSO – Federation of Consumer and Service Organization, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IFF – Internet Freedom Foundation.

The following table projects the stances of all the stakeholders to predominant issues concerning the governance of the data controllers.

 INSIGHTS

 Can the rights of data controller supersede the rights of an individual over his/her personal data?

• 1% of all the stakeholders stated that the rights of the data controller cannot supercede the rights of an individual over his/her personal data.
• 7% of all the stakeholders, all of them industry associations, stated that there was no conflict between the rights of the data controller and the rights of an individual over his/her personal data.
• 7% of all the stakeholders stated that the rights of the data controller can in certain circumstances, for reasons of national security, public interest, maintenance of law and order, etc., supercede the rights of an individual over his/her personal data.
• 8% of the stakeholders, i.e., one (1) stakeholder— ASSOCHAM, stated that no one set of rights should be seen as superseding or obtaining precedence over another.
• 5% of the industry associations, 40% of the telecom service providers (TSPs), 25% civil society organisations/think tanks and 50% of the companies/firms stated that the rights of the data controller cannot supercede the rights of an individual over his/her personal data.
• 5% of the industry associations, 50% of the telecom service providers (TSPs) and 33.33% of civil society organisations/ think tanks stated that the rights of the data controller can in certain circumstances, including for reasons of national security, public interest, maintenance of law and order, supercede the rights of an individual over his/her personal data.
• 75% of the industry associations stated that there was no conflict between the rights of the data controller and the rights of an individual over his/her personal data.

Can the rights of data controller supersede the rights of an individual over his/her personal data?

 Other Trends

• 62% of all stakeholders, comprising of 50% of the companies/firms and TSPs, 37.5% of the industry associations and 33.33% of the civil society organisations/think tanks, agreed that only as much data must be collected and processed as is necessary for the specified purpose.
• 87% of all stakeholders, including 40% of TSPs, 16.67% of civil society organisations/ think tanks and 25% of the industry associations opined that further consent needn’t be obtained from the data subject to use/process/share anonymized data sets. Airtel (TSP) and ISPAI (industry association) stated that data sets, even when anonymized, may not be used/processed/shared without the data subject’s consent.
• 5% of all stakeholders, comprising of 50% of industry associations, 20% of TSPs, 16.66% of companies/firms and 8.3% of civil society organisations/think tanks, said that there needs to be a distinction between data controllers and data processors in terms of their definitions, roles, responsibilities and liabilities.

Detailed Mapping of Responses

 A detailed mapping of the responses of all the fifty-three (53) stakeholders, including the stances of the stakeholders, their response to question three (3) of the Consultation Paper and the suggestions they have made to the TRAI in view of the question, is available here.

[This post is authored by Sushma S. Babu, a fourth year undergraduate student of HNLU, Raipur, under the supervision of Pushan Dwivedi (Associate, TRA) during her internship with TRA].