Stakeholders’ responses to the TRAI privacy consultation paper (Part VIII of XII): Key issues pertaining to personal data collection and use

This is the eighth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) published by the Telecom Regulatory Authority of India (TRAI) on 9th August 2017.

In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.

The mapping of stakeholders’ opinion, and the analysis of such mapping, is based on the interpretation of all the responses to the Consultation Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests, and comments, to rectify any such omission(s) or error(s) in this exercise, are duly invited.

“Q. 9 What are the key issues of data protection pertaining to the collection and use of data by various other stakeholders in the digital ecosystem, including content and application service providers, device manufacturers, operating systems, browsers, etc? What mechanisms need to be put in place in order to address these issues?”

The concerns in relation to the collection and usage of data, raised by stakeholders in their responses to the abovementioned question 9 of the Consultation Paper, broadly relate to some of the issues discussed in the White Paper of the Committee of Experts on a Data Protection Framework for India (White Paper), namely, the approach for framing a data protection statute, consent as the basis for processing of data and the principles informing and limiting the mechanisms for data collection.

The following table projects the stance of the stakeholders on a single distinct data protection statute applicable to all service providers.

*Industry Associations: IAMAI – Internet & Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, ACT – Association for Competitive Technology, ASSOCHAM – Associated Chambers of Commerce and Industry of India, COAI – Cellular Operators Association of India, GSMA – Groupe Speciale Mobile Association, ISPAI – Internet Service Providers Association of India, NASSCOM-DSCI – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, ITI – Information Technology Industry Council, USIBC – US India Business Council, BSA – Business Software Alliance, EBG – European Business Group Federation, BIF – Broadband India Forum, ISACA – Information Systems Audit and Control Association, iSPIRIT – Indian Software Product Industry Round Table.

**Telecom Service Providers: AT&T Global Network Services India Pvt. Ltd., RJIL – Reliance Jio Infocomm Limited, MTNL – Mahanagar Telephone Nigam Limited, TTL – Tata Teleservices Limited, BSNL – Bharat Sanchar Nigam Limited, RCOM –  Reliance Communications Ltd., Telenor, Bharti Airtel, Idea Cellular Ltd, Vodafone.

***Civil Society Organisations/ Think Tanks: NLUD – National Law University, Delhi,  IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, ITfC – IT for Change, SFLC – Software Freedom Law Centre, FCSO – Federation of Consumer and Service Organization, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IFF – Internet Freedom Foundation, Access Now, Takshashila Foundation.

The following table projects the stance of the stakeholders consent based opt in/opt out mechanisms be the means of data collection.

*Industry Associations: IAMAI – Internet & Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, ACT – Association for Competitive Technology, ASSOCHAM – Associated Chambers of Commerce and Industry of India, COAI – Cellular Operators Association of India, GSMA – Groupe Speciale Mobile Association, ISPAI – Internet Service Providers Association of India, NASSCOM-DSCI – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, ITI – Information Technology Industry Council, USIBC – US India Business Council, BSA – Business Software Alliance, EBG – European Business Group Federation, BIF – Broadband India Forum, ISACA – Information Systems Audit and Control Association, iSPIRIT – Indian Software Product Industry Round Table.

**Telecom Service Providers: AT&T Global Network Services India Pvt. Ltd., RJIL – Reliance Jio Infocomm Limited, MTNL – Mahanagar Telephone Nigam Limited, TTL – Tata Teleservices Limited, BSNL – Bharat Sanchar Nigam Limited, RCOM –  Reliance Communications Ltd., Telenor, Bharti Airtel, Idea Cellular Ltd, Vodafone.

***Civil Society Organisations/ Think Tanks: NLUD – National Law University, Delhi,  IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, ITfC – IT for Change, SFLC – Software Freedom Law Centre, FCSO – Federation of Consumer and Service Organization, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IFF – Internet Freedom Foundation, Access Now, Takshashila Foundation.

The following table projects the stance of the stakeholders on the privacy principles that should be the basis for any mechanisms to deal with issues relating to data protection and use.

+ ITI & ACTO have responded in favour of multiple models, that is, they have suggested incorporating privacy principles from more than one of the sources for such principles as outlined in the above table.

++ RJIL has responded in favour of multiple models.

+++ Mozilla has responded in favour of multiple models.

*Industry Associations: IAMAI – Internet & Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, ACT – Association for Competitive Technology, ASSOCHAM – Associated Chambers of Commerce and Industry of India, COAI – Cellular Operators Association of India, GSMA – Groupe Speciale Mobile Association, ISPAI – Internet Service Providers Association of India, NASSCOM-DSCI – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, ITI – Information Technology Industry Council, USIBC – US India Business Council, BSA – Business Software Alliance, EBG – European Business Group Federation, BIF – Broadband India Forum, ISACA – Information Systems Audit and Control Association, iSPIRIT – Indian Software Product Industry Round Table.

**Telecom Service Providers: AT&T Global Network Services India Pvt. Ltd., RJIL – Reliance Jio Infocomm Limited, MTNL – Mahanagar Telephone Nigam Limited, TTL – Tata Teleservices Limited, BSNL – Bharat Sanchar Nigam Limited, RCOM –  Reliance Communications Ltd., Telenor, Bharti Airtel, Idea Cellular Ltd, Vodafone.

***Civil Society Organisations/ Think Tanks: NLUD – National Law University, Delhi,  IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, ITfC – IT for Change, SFLC – Software Freedom Law Centre, FCSO – Federation of Consumer and Service Organization, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IFF – Internet Freedom Foundation, Access Now, Takshashila Foundation.

Insights

Q1. Should All Concerned Stakeholders Be Covered By Single Distinct Data Protection Legislation?

• 49% of all stakeholders including 68.75% industry associations, 80% telecom service providers, 33.3% civil society organisations, 33.3% individuals, and 16.6% companies/firms agree that all stakeholders should be covered by distinct data protection legislation.
• 9.4% of all stakeholders, including 1% telecom service providers, 8.3% civil society and 33.3% companies/firms did not provide a clear stance on whether all stakeholders should be covered by distinct data protection legislation.
• 41.5% of all stakeholders including 31% industry associations, 1% telecom service providers, 25% civil society organisations, 66% individuals and 58.3% companies/firms did not comment on whether all stakeholders should be covered by distinct data protection legislation.
• None of the stakeholders suggested that all stakeholders should not be covered by distinct data protection legislation.

Q2. Should Consent Based  Opt In / Opt Out Mechanism Be The Means of Data Protection?

• 13% of all stakeholders including 25% of industry associations, 8.3% civil society organisations, and 16.6% of companies/firms agree that consent based opt-in/opt-out mechanisms should be the means of data collection.
• 1.8% of all stakeholders including 6.25% of industry associations disagreed that consent should not be the basis of data collection, and other legal bases such as legitimate interest must be recognised as the basis for data collection.
• 9.43% of all stakeholders including 6.25% of industry associations, 1% of telecom service providers, 8.3% of civil society organisations, 33.3% of individuals, and 8.3% companies/firms did not provide a clear stance on whether consent based opt-in/opt-out mechanisms should be the means of data collection.
• 75% of all stakeholders including 62.5 of industry associations, 90% telecom service providers, 83.3% of civil society organisations, 66.6% of individuals and 75% of companies/firms did not comment on whether consent based opt-in/opt-out mechanisms should be the means of data collection.

Q3. What Privacy Principles Should The Suggested Mechanisms Be Based On?

• 7% of all stakeholders including 12.5% industry associations, 1% telecom service providers, and 8.3% civil society organisations suggest that the mechanisms should be based on the privacy principles mentioned in the EU GDPR.
• 5% of all stakeholders including 18% industry associations suggest that the mechanisms should be based on the APEC privacy principles.
• 5% of all stakeholders including 1% of telecom service providers, 8.3% of civil society organisations and 8.3% of companies/firms suggest that the mechanisms should be based on the National Privacy Principles mentioned in the Report of the Justice A.P Shah Committee.
• 12% of all stakeholders including 25% industry associations, 1% telecom service providers, 8.3% civil society organisations and 8.3% of companies either recommend their own principles or suggest that the mechanisms should be based on principles derived from other sources such as the OPEC Privacy Principles, and the ICO’s Office.
• 71% of all stakeholders including 62.5% industry associations, 80% telecom service providers, 75% civil societies, 100% individuals and 91.6% companies/firms did not comment on what principles should the mechanisms be based on.

Detailed Mapping of Responses

A detailed mapping of the responses of all the fifty-three (53) stakeholders, including the stances of the stakeholders, their response to question nine(9) of the Consultation Paper and the suggestions they have made to the TRAI in view of the question, is available here.

[This post is authored by Veda Handa, a fifth-year undergraduate student of NLU, Delhi under the supervision of Pushan Dwivedi (Associate, TRA) during her online externship with TRA].