Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

TRAI recommendations on privacy, security and ownership of data in the telecom sector: Mapping of stakeholders’ opinions

    Home Data Governance TRAI recommendations on privacy, security and ownership of data in the telecom sector: Mapping of stakeholders’ opinions
    NextPrevious

    TRAI recommendations on privacy, security and ownership of data in the telecom sector: Mapping of stakeholders’ opinions

    By Ikigai Law | Data Governance | 0 comment | 10 September, 2018 | 6

    This note maps the position of all the stakeholders in relation to the Recommendations on Privacy, Security, and Ownership of the Data in the Telecom Sector (“Recommendations”) published by the Telecom Regulatory Authority of India (“TRAI”) on 16th  July, 2018. In order to address key data protection and privacy issues, the TRAI framed twelve (12) questions in the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector (“Consultation Paper”) and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.

    The tabulation of stakeholders’ position is based on the interpretation of responses of the respective stakeholders to the Consultation Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests, and comments, to rectify any such omission(s) or error(s) in this exercise, are duly invited.

    The following tables include the stakeholders who agree, disagree, are unclear in their stand, or have not responded to the issues underlying the respective Recommendations.

    1. RECOMMENDATIONS ON PERSONAL DATA

    The following table lists the stakeholders whose responses to the Consultation Paper are in alignment with the Recommendations on issues underlying the scope and processing of personal data. The table also lists the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on personal data.

     

     

    S. No. Recommendations Stakeholders who agree with the Recommendations Stakeholders who disagree with the Recommendations Stakeholders who are unclear in their stand Stakeholders who have not responded
    1. The definitions of “Data” as provided under Information Technology Act, 2000, and “Personal Information” and “Sensitive Personal Data and information” as provided under Sensitive Personal Data and Information Rules, 2011, as reproduced below, are adequate for the present.

     

    a.     “Data” – defined in section 2(1)(o) of the Information Technology Act, 2000 as a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

    b.     “Personal information”– defined in the Sensitive Personal Data and Information Rules, 2011 as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

    c.     “Sensitive personal data or Information”– defined in the Sensitive Personal Data and Information Rules, 2011 as such personal information which consists of information relating to:- password, financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

    1.     ASSOCHAM

    2.     COAI

    3.     GSMA

    4.     ISPAI

    5.     BSA

    6.     EBG

    7.     AT&T

    8.     Bharti Airtel Ltd.

    9.     TTL

    10.  Telenor

    11.  Vodafone

    12.  Make My Trip

    1.     NASSCOM-DSCI

    2.     USISPF

    3.     ITI

    4.     iSPIRT

    5.     USIBC

    6.     Idea Cellular Ltd.

    7.     MTNL

    8.     RCOM

    9.     BSNL

    10.  NLUD

    11.  Takshashila Institution

    12.  Access Now

    13.  IDP

    14.  CIS

    15.  ITfC

    16.  SFLC.in

    17.  CUTS

    18.  CGS

    19.  CPA

    20.  Sangeet Sindhan

    21.  Zeotap Pvt. Ltd.

    22.  IBM

    23.  Sigfox

    24.  Exotel

    25.  KOAN

    26.  Citibank

    27.  Redmorph

    1.     IAMAI

    2.     ACTO

    3.     BIF

    4.     RJIL

    5.     IFF

    6.     Mozilla

    7.     Disney India

    1.     ACT

    2.     ISACA

    3.     FCSO

    4.     Baijayant Jay Panda

    5.     Apurv jain

    6.     Span Technologies

    7.     Ikigai Law

     

    2. Each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data. 1.     Exotel Techcom Pvt. Ltd.

    2.     Consumer Guidance Society

    1.     ItfC All the remaining stakeholders who had responded to the Consultation Paper
    3. A study should be undertaken to formulate the standards for annonymisation/ de-identification of personal data generated and collected in the digital eco-system. 1.     ACTO

    2.     Sigfox

    3.     USISPF

    4.     BIF

    5.     RCOM

    6.     AT&T

    7.     EBG

    8.     KOAN

    9.     CIS

    1.     ITI

    2.     USIBC

    1.     Zeotap India Pvt. Ltd.

    2.     IBM

    3.     Exotel Techcom Pvt. Ltd.

    4.     Mozilla Corporation

    5.     BSA

    6.     NLU-D

    All the remaining stakeholders who had responded to the Consultation Paper.
    4. All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users. 1.     SFLC.in

     

    1.     Vodafone 1.     Apurv Jain

    2.     GSMA

    All the remaining stakeholders who had responded to the Consultation Paper.

     

    Stakeholders: ASSOCHAM – The Associated Chambers of Commerce of India, COAI – Cellular Operators Association of India, GSMA – GSM Association, ISPAI – Internet Service Providers Association of India, BSA – Business Software Alliance, EBG – European Business Group, TTL – Tata Teleservices Ltd., NASSCOM-DSCI[1] – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, iSPIRIT – Indian Software Product Industry Round Table, USIBC – US India Business Council, MTNL – Mahanagar Telephone Nigam Limited, BSNL – Bharat Sanchar Nigam Limited, IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, SFLC.in – Software Freedom Law Centre, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IAMAI – Internet and Mobile Association of India,  ACTO – Association Of Competitive Telecom Operators, BIF – Broadband India Forum, RJIL – Reliance Jio Infocomm Limited, IFF – Internet Freedom Foundation, ACT – Association for Competitive Technology, ISACA – Information Systems Audit and Control Association, FCSO – Federation of Consumer and Service Organization, ITI – Information Technology Industry Council.

     

     

    1. RECOMMENDATION ON EXISTING DATA PROTECTION NORMS

    The table lists the stakeholders whose responses are in alignment with the Recommendations related to sufficiency of the existing data protection norms in the telecom sector. The table also specifies the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on sufficiency of the existing data protection norms in the telecom sector.

     

    S. No. Recommendations Stakeholders who agree Stakeholders who disagree Stakeholders who are unclear in their stand Stakeholers who have not responded
    1. a) The existing framework for protection of the personal information/ data of telecom consumers is not sufficient. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.

     

    1.     Access Now

    2.     Apurv Jain

    3.     Baijayant Jay Panda

    4.     BSNL

    5.     CIS

    6.     Citibank

    7.     Consumer Protection Association

    8.     Consumer’s Guidance Society

    9.     CUTS

    10.  Exotel

    11.  Federation of Consumers and Service Organisation

    12.  GSMA

    13.  IBM

    14.  Internet Democracy Project

    15.  Internet Freedom Foundation

    16.  ISPAI

    17.  iSPIRT

    18.  IT for Change

    19.  ITI

    20.  KOAN Advisory

    21.  MakeMyTrip

    22.  Mozilla Corporation

    23.  NASSCOM-DSCI

    24.  NLU, Delhi

    25.  Redmorph

    26.  Reliance Communications

    27.  Sangeet Sindan

    28.  SLFC

    29.  Telenor India

    30.  USISPF

    31.  Vodafone

    32.  Zeotap India

     

    1.     ACTO

    2.     Airtel

    3.     ASSOCHAM

    4.     AT&T

    5.     COAI

    6.     EBG Federation

    7.     Idea Cellular

    8.     MTNL

    9.     Reliance Jio Infocomm

    10.  Sigfox

    11.  Tata Teleservices

    12.  USIBC

    1.     BIF

    2.     IAMAI

     

    1.     ACT

    2.     BSA

    3.     Disney Broadcasting (India) Ltd

    4.     ISACA

    5.     Span Technologies

    6.     Ikigai Law

     

    b) Till such time a general data protection law is notified by the Government, the existing Rules/ License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers, and Applications.

     

    1.     IAMAI

    2.     ASSOCHAM

    3.     COAI

    4.     GSMA

    5.     ISPAI

    6.     NASSCOM-DSCI

    7.     USISPF

    8.     ITI

    9.     iSPIRIT

    10.  USIBC

    11.  BIF

    12.  AT&T

    13.  RJIL

    14.  Bharti Airtel

    15.  Telenor

    16.  BSNL

    17.  TTL

    18.  MTNL

    19.  Idea Cellular

    20.  NLUD

    21.  Access Now

    22.  IFF

    23.  CIS

    24.  Baijayant Jai Panda

    25.  Span

    26.  Mozilla

     

    1.     Vodafone

    2.     Takshashila Foundation

    3.     IBM

    4.     Make My Trip

    5.     Sigfox

     

    1.     ACTO

    2.     IASACA

    3.     BSA

    4.     EBG

    5.     ACT

    6.     RCOM

    7.     IDP

    8.     ITfC

    9.     SFLC.in

    10.  FSCO

    11.  CUTS

    12.  CGS

    13.  CPA

    14.  Sangeet Sindan

    15.  Apurv Jain

    16.  Redmorph

    17.  Ikigai Law

    18.  Zeotap

    19.  Exotel

    20.  KOAN

    21.  Citibank

    22.  Disney Indian Broadcasting Ltd

     

    c) Privacy by design principle should be made applicable to all the entities in the digital ecosystem viz, Service providers, Devices, Browsers, Operating Systems, Applications etc. The concept of “Data Minimisation” should be inherent to the Privacy by Design principle implementation. Here “Data Minimisation” denotes the concept of collection of bare minimum data which is essential for providing that particular service to the consumers. 1.     Zeotap India Pvt.Ltd.

    2.     Sigfox

    3.     Mozillla

    4.     KOAN

    5.     IFF

    6.     IDP

    7.     RJIL

    – – All the remaining stakeholders who had responded to the Consultation Paper.

     

     

    1. TRAI RECOMMENDATIONS ON USER EMPOWERMENT

    This table lists the stakeholders whose opinions to the Consultation Paper are in alignment with the Recommendation in relation to user empowerment. It also provides lists of the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on user empowerment..

     

    S. No. Recommendations Stakeholders who agree Stakeholders who disagree Stakeholders who are unclear in their stand Stakeholders who have not responded
    a) The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers.
    i) Right to choice should be conferred upon the telecommunication consumers. 1.     CUTS

    2.     ASSOCHAM

    3.     NASSCOM-DSCI

    4.     ACT

    5.     ISACA

    6.     Access Now

    7.     SFLC.in

    1.     USIBC 1.     BSA

    2.     SFLC.in

    3.     BSNL

    4.     RJIL

    5.     Citibank

    6.     Sangeet Sindan

    All the remaining stakeholders who had responded to the Consultation Paper.
    ii) Notice should be conferred upon the telecommunication consumers.

     

    1.     NLUD

    2.     Access Now

    3.     USISPF

    4.     CIS

    5.     Idea Cellular Ltd.

    6.     IDC

    – – All the remaining stakeholders who had responded to the Consultation Paper
    iii) Consent should be conferred upon the telecommunication consumers.

     

    1. CUTS
    2. ASSOCHAM
    3. NASSCOM-DSCI
    4. ITI
    5. ACT
    6. ISACA
    7. Access Now
    8. SFLC.in
    9. IAMAI
    1.     USIBC 1.     BSA

    2.     SFLC

    3.     BSNL

    4.     RJIL

    5.     Citibank

    6.     Sangeet Sindan

    All the remaining stakeholders who had responded to the Consultation Paper.
    iv) Data portability should be conferred upon the telecommunication consumers.

     

    1.     NASSCOM-DSCI

    2.     ISACA

    3.     USISPF

    4.     ITI

    – – All the remaining stakeholders who had responded to the Consultation Paper.
    v) Right to be forgotten should be conferred upon the telecommunication consumers. 1.     GSMA

    2.     ISPAI

    3.     NASSCOM-DSCI

    4.     ISACA

    5.     CIS

    – – All the remaining stakeholders who had responded to the Consultation Paper.
    b) In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers. 1.     USISPF

    2.     Takshashila Institution

    – – All the remaining stakeholders who had responded to the Consultation Paper.
    c) For the benefit of telecommunication users’, a framework, on the basis of the Electronic Consent Framework developed by MeitY and on lines of the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
    i) For the benefit of telecommunication users’, a framework, on the basis of the Electronic Consent Framework developed by MeitY, should be notified for telecommunication sector also. 1.     iSPIRIT

    2.     GSMA

    – RedMorph All the remaining stakeholders who had responded to the Consultation Paper.
    ii) For the benefit of telecommunication users’, a framework on lines of the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. – – 1.     RedMorph All the remaining stakeholders who had responded to the Consultation Paper.
    d) Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital ecosystem for the benefit of consumers.
    i) Multilingual be made mandatory for all the entities in the digital ecosystem for the benefit of consumers.

     

    1.     USIBC – – All the remaining stakeholders who had responded to the Consultation Paper.
    ii) Easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital eco -system for the benefit of consumers. 1.     SFLC.in – – All the remaining stakeholders who had responded to the Consultation Paper.
    e) Data Controllers should be prohibited from using “preticked boxes” to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
    i) Clauses for data collection should be incorporated in the agreements. 1.     IBM

    2.     KOAN

    3.     Make My Trip

    4.     AT&T

    – – All the remaining stakeholders who had responded to the Consultation Paper.
    ii) Purpose limitation should be incorporated in the agreements. 1.     Mozilla Corporation – – All the remaining stakeholders who had responded to the Consultation Paper.
    f) It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users.
    i) It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. – – – All the remaining stakeholders who had responded to the Consultation Paper.
    ii) Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users. – – – All the remaining stakeholders who had responded to the Consultation Paper.
    i) Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data. 1.     CIS

    2.     IAMAI

    3.     CUTS

    4.     NASSCOM –  DSCI

    5.     Telenor

    6.     USIBC

    7.     USISPF

    8.     BIF

    9.     BSNL

    10.  Consumer Protection Association

    – 1.     GSMA All the remaining stakeholders who had responded to the Consultation Paper.
    j) The Government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership, protection, and privacy.
    i) The Government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership. All the remaining stakeholders who had responded to the Consultation Paper.
    ii) The Government should put in place a mechanism for redressal of telecommunication. consumers’ grievances relating to protection, and privacy. 1.     NLUD

    2.     Internet Democracy Project

    3.     Citibank

    4.     CUTS

    5.     IAMAI

    6.     CIS

    7.     USISPF

    8.     AT&T

    9.     BIF

    10.  Span Technologies

    11.  Software Freedom Law Centre (SLFC)

    12.  Exotel Techcom Pvt. Ltd.

    13.  Sangeet Sindan

    14.  NASSCOM – DSCI

    15.  Takshashila Institution

    – 1.     BSNL All the remaining stakeholders who had responded to the Consultation Paper.

     

    1. TRAI RECOMMENDATION ON SECURITY OF DATA AND TELECOM NETWORKS

    The table lists the stakeholders whose responses to the Consultation Paper are in alignment with the Recommendations on security of data and telecom networks, The table also provides lists of those stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on security of data and telecom networks.

     

    S. No. Recommendations Stakeholders who agree Stakeholders who disagree Stakeholders who are unclear in their stand Stakeholders who have not responded
    1. a)     Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors. 1.     IAMAI

    2.     ACTO

    3.     ASSOCHAM

    4.     IBM

    5.     CIS

    6.     USIBC

    7.     EBG

    8.     AT&T

    9.     BIF

    10.  RCOM

    – – All the remaining stakeholders who had responded to the Consultation Paper.
    b) To ensure the privacy of users, National Policy for Encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government at the earliest. – – – All the remaining stakeholders who had responded to the Consultation Paper.
    c) For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorized entities in accordance to consent of the consumer or as per requirement of the law. – 1.     Access Now

    2.     ACT

    3.     IBM

    4.     ITI

    5.     USIBC

    6.     EBG

    7.     AT&T

    1.     RCOM All the remaining stakeholders who had responded to the Consultation Paper.
    d) A common platform should be created for sharing of information relating to data security breach incidents by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem including telecom service providers to be a part of this platform. – – 1.     iSPIRIT

    2.     Vodafone

    3.     Mozilla

    4.     Telenor

    5.     BSNL

    6.     KOAN

    7.     GSMA

    All the remaining stakeholders who had responded to the Consultation Paper.
    e)  Data security breaches may take place in-spite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivized to prevent/ mitigate such occurrences in future. 1.     KOAN

    2.     Vodafone

    3.     Telenor

    4.     BSNL

    5.     iSPIRIT

    6.     Mozilla

    7.     NASSCOM-DSCI

    1.     GSMA All the remaining stakeholders who had responded to the Consultation Paper.

     

    [This post has been authored by Karan Dhingra, a fifth-year law student of Jindal Global Law School, Sumit Mishra, a fifth-year law student from National Law University, Odisha and Raghav Mudgal, a fourth-year law student of RGNUL during their internships with Ikigai Law, with inputs from Pushan Dwivedi, Associate, Ikigai Law.]

     

    #ConsultationPaper, #DataControllers, #DataProtection, #DataSubjects, #DataTransfer, #IndianGovernment, #InformedConsent, #MeaningfulConsent, #PersonalData, #TechPolicy, #UserEmpowerment, Choice, Consent, Consultation, Government, Ikigai Law, Innovation, Notice, Privacy, Processing, Protection, Recommendation, Security, Stakeholders, TRAI

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Stakeholders’ responses to the White Paper on a data protection framework in India

      By Ikigai Law | 0 comment

      In a 4 part series, we have mapped the publicly accessible opinions of 27 stakeholders on the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017Read more

    • Stakeholders’ responses to the TRAI privacy consultation paper

      By Ikigai Law | 0 comment

      In a 12 part series, we have mapped stakeholders’ comments to the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector by Telecom Regulatory Authority of India (TRAI). In order toRead more

    • Mapping comments to the Srikrishna Committee on data protection (Part IV): Grounds of processing

      By Ikigai Law | 0 comment

      This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27th November, 2017 (“White Paper”). While all responses toRead more

    • Stakeholders’ responses to the TRAI privacy consultation paper (Part XII of XII): Technological solutions to monitor compliance

      By Ikigai Law | 0 comment

      This is the twelfth post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, andRead more

    • Stakeholders’ responses to the TRAI privacy consultation paper (Part XI of XII): Parity in the data protection norms between TSPs and other communication service providers

      By Ikigai Law | 0 comment

      This is the eleventh post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the consultation paper on Privacy, Security, andRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law