Stakeholders’ responses to the TRAI privacy consultation paper

In a 12 part series, we have mapped stakeholders’ comments to the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector by Telecom Regulatory Authority of India (TRAI). In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.

In each of our posts, a table provides a brief snapshot of where different stakeholders stand on the issue being addressed in the post along with a link to a larger document mapping responses in more detail.

Posts are based entirely on our understanding of stakeholders’ responses made public by TRAI. We have not reached out to anyone for clarifications/comments on their comments to TRAI. We hope that this provides some insight into what some stakeholders in the country are thinking. The following 12 posts are accessible on our blog:

1. Part 1 – Data Protection Norms: Addresses the question of adequacy of data protection norms in India’s telecom sector currently, and whether/what changes (if any) are needed.
2. Part 2 – Data Sandboxes:  Addresses the question of whether government should set up a data sandbox “which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?“
3. Part 3 – Cross Border Data Flows: Addresses the question of jurisdictional challenges and measures needed to address issues arising from cross border data flows and data localization.
4. Part 4 – Data Controllers: Addresses questions around rights and obligationsof data controllers, including a regulatory framework to govern them and whether rights of a data controller should supersede rights of an individual over her personal data.
5. Part 5 – Audit Mechanisms: Addresses questions around mandating technologyenabled audit mechanism to scrutinize the use of personal data and consent.
6. Part 6 – Legitimate Exceptions, Exemptions and Lawful Surveillance:Addresses the question on what should be legitimate exceptions to data protection requirements, and whether they should be limited to national security and law enforcement.
7. Part 7 – Definition and Scope of Personal Data and Consent: Addresses questions around the definition of personal data, contours of user consent and how users should be empowered.
8. Part 8 – Collection and Use of Personal Data: Addresses questions on opt-in/opt-out mechanisms, privacy principles and whether there should be a single data protection law.
9. Part 9 – How to create new data based businesses: Addresses questions around promoting anonymization of personal data and encouraging self-regulatory or light-touch regulatory measures to encourage the creation of new data driven businesses.
10. Part 10 – Security of Telecommunications Infrastructure and Digital Ecosystem: Addresses the question of measures to ensure safety and security of telecom infrastructure and digital ecosystem.
11. Part 11 – Parity in Data Protection Norms between TSPs and other Communication Service Providers: Addresses the question on whether TSPs and communication service providers providing similar services should be treated alike for data protection norms.
12. Part 12 – Technological Solutions to Monitor Compliance: Addresses the question of whether the government should set up a technology based compliance monitoring mechanism, and potentially what it might look like.

[This post is authored by Pushan Dwivedi, Associate, Ikigai with inputs from Nehaa Chaudhari, Public Policy Lead, TRA.]