This note maps the position of all the stakeholders in relation to the Recommendations on Privacy, Security, and Ownership of the Data in the Telecom Sector (“Recommendations”) published by the Telecom Regulatory Authority of India (“TRAI”) on 16th July, 2018. In order to address key data protection and privacy issues, the TRAI framed twelve (12) questions in the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector (“Consultation Paper”) and invited comments to these questions. In total, fifty-three (53) stakeholders submitted detailed responses. Comments of all stakeholders are available here. Our comments to the Consultation Paper are available here.
The tabulation of stakeholders’ position is based on the interpretation of responses of the respective stakeholders to the Consultation Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests, and comments, to rectify any such omission(s) or error(s) in this exercise, are duly invited.
The following tables include the stakeholders who agree, disagree, are unclear in their stand, or have not responded to the issues underlying the respective Recommendations.
- RECOMMENDATIONS ON PERSONAL DATA
The following table lists the stakeholders whose responses to the Consultation Paper are in alignment with the Recommendations on issues underlying the scope and processing of personal data. The table also lists the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on personal data.
| S. No. | Recommendations | Stakeholders who agree with the Recommendations | Stakeholders who disagree with the Recommendations | Stakeholders who are unclear in their stand | Stakeholders who have not responded |
| 1. | The definitions of “Data” as provided under Information Technology Act, 2000, and “Personal Information” and “Sensitive Personal Data and information” as provided under Sensitive Personal Data and Information Rules, 2011, as reproduced below, are adequate for the present.
a. “Data” – defined in section 2(1)(o) of the Information Technology Act, 2000 as a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. b. “Personal information”– defined in the Sensitive Personal Data and Information Rules, 2011 as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. c. “Sensitive personal data or Information”– defined in the Sensitive Personal Data and Information Rules, 2011 as such personal information which consists of information relating to:- password, financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules. |
1. ASSOCHAM
2. COAI 3. GSMA 4. ISPAI 5. BSA 6. EBG 7. AT&T 8. Bharti Airtel Ltd. 9. TTL 10. Telenor 11. Vodafone 12. Make My Trip |
1. NASSCOM-DSCI
2. USISPF 3. ITI 4. iSPIRT 5. USIBC 6. Idea Cellular Ltd. 7. MTNL 8. RCOM 9. BSNL 10. NLUD 11. Takshashila Institution 12. Access Now 13. IDP 14. CIS 15. ITfC 16. SFLC.in 17. CUTS 18. CGS 19. CPA 20. Sangeet Sindhan 21. Zeotap Pvt. Ltd. 22. IBM 23. Sigfox 24. Exotel 25. KOAN 26. Citibank 27. Redmorph |
1. IAMAI
2. ACTO 3. BIF 4. RJIL 5. IFF 6. Mozilla 7. Disney India |
1. ACT
2. ISACA 3. FCSO 4. Baijayant Jay Panda 5. Apurv jain 6. Span Technologies 7. Ikigai Law
|
| 2. | Each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data. | 1. Exotel Techcom Pvt. Ltd.
2. Consumer Guidance Society |
1. ItfC | All the remaining stakeholders who had responded to the Consultation Paper | |
| 3. | A study should be undertaken to formulate the standards for annonymisation/ de-identification of personal data generated and collected in the digital eco-system. | 1. ACTO
2. Sigfox 3. USISPF 4. BIF 5. RCOM 6. AT&T 7. EBG 8. KOAN 9. CIS |
1. ITI
2. USIBC |
1. Zeotap India Pvt. Ltd.
2. IBM 3. Exotel Techcom Pvt. Ltd. 4. Mozilla Corporation 5. BSA 6. NLU-D |
All the remaining stakeholders who had responded to the Consultation Paper. |
| 4. | All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users. | 1. SFLC.in
|
1. Vodafone | 1. Apurv Jain
2. GSMA |
All the remaining stakeholders who had responded to the Consultation Paper. |
Stakeholders: ASSOCHAM – The Associated Chambers of Commerce of India, COAI – Cellular Operators Association of India, GSMA – GSM Association, ISPAI – Internet Service Providers Association of India, BSA – Business Software Alliance, EBG – European Business Group, TTL – Tata Teleservices Ltd., NASSCOM-DSCI[1] – National Association of Software and Services Companies – Data Security Council of India, USISPF – U.S. India Strategic Partnership Forum, iSPIRIT – Indian Software Product Industry Round Table, USIBC – US India Business Council, MTNL – Mahanagar Telephone Nigam Limited, BSNL – Bharat Sanchar Nigam Limited, IDP – Internet Democracy Project, CIS – The Centre for Internet and Society, SFLC.in – Software Freedom Law Centre, CUTS – Consumer Unity and Trust Society, CGS – Consumer Guidance Society, CPA – Consumer Protection Association, IAMAI – Internet and Mobile Association of India, ACTO – Association Of Competitive Telecom Operators, BIF – Broadband India Forum, RJIL – Reliance Jio Infocomm Limited, IFF – Internet Freedom Foundation, ACT – Association for Competitive Technology, ISACA – Information Systems Audit and Control Association, FCSO – Federation of Consumer and Service Organization, ITI – Information Technology Industry Council.
- RECOMMENDATION ON EXISTING DATA PROTECTION NORMS
The table lists the stakeholders whose responses are in alignment with the Recommendations related to sufficiency of the existing data protection norms in the telecom sector. The table also specifies the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on sufficiency of the existing data protection norms in the telecom sector.
| S. No. | Recommendations | Stakeholders who agree | Stakeholders who disagree | Stakeholders who are unclear in their stand | Stakeholers who have not responded |
| 1. | a) The existing framework for protection of the personal information/ data of telecom consumers is not sufficient. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
|
1. Access Now
2. Apurv Jain 3. Baijayant Jay Panda 4. BSNL 5. CIS 6. Citibank 7. Consumer Protection Association 8. Consumer’s Guidance Society 9. CUTS 10. Exotel 11. Federation of Consumers and Service Organisation 12. GSMA 13. IBM 14. Internet Democracy Project 15. Internet Freedom Foundation 16. ISPAI 17. iSPIRT 18. IT for Change 19. ITI 20. KOAN Advisory 21. MakeMyTrip 22. Mozilla Corporation 23. NASSCOM-DSCI 24. NLU, Delhi 25. Redmorph 26. Reliance Communications 27. Sangeet Sindan 28. SLFC 29. Telenor India 30. USISPF 31. Vodafone 32. Zeotap India
|
1. ACTO
2. Airtel 3. ASSOCHAM 4. AT&T 5. COAI 6. EBG Federation 7. Idea Cellular 8. MTNL 9. Reliance Jio Infocomm 10. Sigfox 11. Tata Teleservices 12. USIBC |
1. BIF
2. IAMAI
|
1. ACT
2. BSA 3. Disney Broadcasting (India) Ltd 4. ISACA 5. Span Technologies 6. Ikigai Law
|
| b) Till such time a general data protection law is notified by the Government, the existing Rules/ License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers, and Applications.
|
1. IAMAI
2. ASSOCHAM 3. COAI 4. GSMA 5. ISPAI 6. NASSCOM-DSCI 7. USISPF 8. ITI 9. iSPIRIT 10. USIBC 11. BIF 12. AT&T 13. RJIL 14. Bharti Airtel 15. Telenor 16. BSNL 17. TTL 18. MTNL 19. Idea Cellular 20. NLUD 21. Access Now 22. IFF 23. CIS 24. Baijayant Jai Panda 25. Span 26. Mozilla
|
1. Vodafone
2. Takshashila Foundation 3. IBM 4. Make My Trip 5. Sigfox
|
1. ACTO
2. IASACA 3. BSA 4. EBG 5. ACT 6. RCOM 7. IDP 8. ITfC 9. SFLC.in 10. FSCO 11. CUTS 12. CGS 13. CPA 14. Sangeet Sindan 15. Apurv Jain 16. Redmorph 17. Ikigai Law 18. Zeotap 19. Exotel 20. KOAN 21. Citibank 22. Disney Indian Broadcasting Ltd
|
||
| c) Privacy by design principle should be made applicable to all the entities in the digital ecosystem viz, Service providers, Devices, Browsers, Operating Systems, Applications etc. The concept of “Data Minimisation” should be inherent to the Privacy by Design principle implementation. Here “Data Minimisation” denotes the concept of collection of bare minimum data which is essential for providing that particular service to the consumers. | 1. Zeotap India Pvt.Ltd.
2. Sigfox 3. Mozillla 4. KOAN 5. IFF 6. IDP 7. RJIL |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. |
- TRAI RECOMMENDATIONS ON USER EMPOWERMENT
This table lists the stakeholders whose opinions to the Consultation Paper are in alignment with the Recommendation in relation to user empowerment. It also provides lists of the stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on user empowerment..
| S. No. | Recommendations | Stakeholders who agree | Stakeholders who disagree | Stakeholders who are unclear in their stand | Stakeholders who have not responded | ||||
| a) | The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers. | ||||||||
| i) | Right to choice should be conferred upon the telecommunication consumers. | 1. CUTS
2. ASSOCHAM 3. NASSCOM-DSCI 4. ACT 5. ISACA 6. Access Now 7. SFLC.in |
1. USIBC | 1. BSA
2. SFLC.in 3. BSNL 4. RJIL 5. Citibank 6. Sangeet Sindan |
All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| ii) | Notice should be conferred upon the telecommunication consumers.
|
1. NLUD
2. Access Now 3. USISPF 4. CIS 5. Idea Cellular Ltd. 6. IDC |
– | – | All the remaining stakeholders who had responded to the Consultation Paper | ||||
| iii) | Consent should be conferred upon the telecommunication consumers.
|
|
1. USIBC | 1. BSA
2. SFLC 3. BSNL 4. RJIL 5. Citibank 6. Sangeet Sindan |
All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| iv) | Data portability should be conferred upon the telecommunication consumers.
|
1. NASSCOM-DSCI
2. ISACA 3. USISPF 4. ITI |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| v) | Right to be forgotten should be conferred upon the telecommunication consumers. | 1. GSMA
2. ISPAI 3. NASSCOM-DSCI 4. ISACA 5. CIS |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| b) | In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers. | 1. USISPF
2. Takshashila Institution |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| c) | For the benefit of telecommunication users’, a framework, on the basis of the Electronic Consent Framework developed by MeitY and on lines of the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users. | ||||||||
| i) | For the benefit of telecommunication users’, a framework, on the basis of the Electronic Consent Framework developed by MeitY, should be notified for telecommunication sector also. | 1. iSPIRIT
2. GSMA |
– | RedMorph | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| ii) | For the benefit of telecommunication users’, a framework on lines of the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. | – | – | 1. RedMorph | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| d) | Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital ecosystem for the benefit of consumers. | ||||||||
| i) | Multilingual be made mandatory for all the entities in the digital ecosystem for the benefit of consumers.
|
1. USIBC | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| ii) | Easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital eco -system for the benefit of consumers. | 1. SFLC.in | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| e) | Data Controllers should be prohibited from using “preticked boxes” to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements. | ||||||||
| i) | Clauses for data collection should be incorporated in the agreements. | 1. IBM
2. KOAN 3. Make My Trip 4. AT&T |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| ii) | Purpose limitation should be incorporated in the agreements. | 1. Mozilla Corporation | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| f) | It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users. | ||||||||
| i) | It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. | – | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| ii) | Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users. | – | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| i) | Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data. | 1. CIS
2. IAMAI 3. CUTS 4. NASSCOM – DSCI 5. Telenor 6. USIBC 7. USISPF 8. BIF 9. BSNL 10. Consumer Protection Association |
– | 1. GSMA | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
| j) | The Government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership, protection, and privacy. | ||||||||
| i) | The Government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership. | All the remaining stakeholders who had responded to the Consultation Paper. | |||||||
| ii) | The Government should put in place a mechanism for redressal of telecommunication. consumers’ grievances relating to protection, and privacy. | 1. NLUD
2. Internet Democracy Project 3. Citibank 4. CUTS 5. IAMAI 6. CIS 7. USISPF 8. AT&T 9. BIF 10. Span Technologies 11. Software Freedom Law Centre (SLFC) 12. Exotel Techcom Pvt. Ltd. 13. Sangeet Sindan 14. NASSCOM – DSCI 15. Takshashila Institution |
– | 1. BSNL | All the remaining stakeholders who had responded to the Consultation Paper. | ||||
- TRAI RECOMMENDATION ON SECURITY OF DATA AND TELECOM NETWORKS
The table lists the stakeholders whose responses to the Consultation Paper are in alignment with the Recommendations on security of data and telecom networks, The table also provides lists of those stakeholders who either disagree, are unclear in their stand, or have not responded to the issues underlying the Recommendations on security of data and telecom networks.
| S. No. | Recommendations | Stakeholders who agree | Stakeholders who disagree | Stakeholders who are unclear in their stand | Stakeholders who have not responded |
| 1. | a) Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors. | 1. IAMAI
2. ACTO 3. ASSOCHAM 4. IBM 5. CIS 6. USIBC 7. EBG 8. AT&T 9. BIF 10. RCOM |
– | – | All the remaining stakeholders who had responded to the Consultation Paper. |
| b) To ensure the privacy of users, National Policy for Encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government at the earliest. | – | – | – | All the remaining stakeholders who had responded to the Consultation Paper. | |
| c) For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorized entities in accordance to consent of the consumer or as per requirement of the law. | – | 1. Access Now
2. ACT 3. IBM 4. ITI 5. USIBC 6. EBG 7. AT&T |
1. RCOM | All the remaining stakeholders who had responded to the Consultation Paper. | |
| d) A common platform should be created for sharing of information relating to data security breach incidents by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem including telecom service providers to be a part of this platform. | – | – | 1. iSPIRIT
2. Vodafone 3. Mozilla 4. Telenor 5. BSNL 6. KOAN 7. GSMA |
All the remaining stakeholders who had responded to the Consultation Paper. | |
| e) Data security breaches may take place in-spite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivized to prevent/ mitigate such occurrences in future. | 1. KOAN
2. Vodafone 3. Telenor 4. BSNL 5. iSPIRIT 6. Mozilla 7. NASSCOM-DSCI |
1. GSMA | All the remaining stakeholders who had responded to the Consultation Paper. |
[This post has been authored by Karan Dhingra, a fifth-year law student of Jindal Global Law School, Sumit Mishra, a fifth-year law student from National Law University, Odisha and Raghav Mudgal, a fourth-year law student of RGNUL during their internships with Ikigai Law, with inputs from Pushan Dwivedi, Associate, Ikigai Law.]
