Summary of the Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector
Chapter I – Introduction and Background
The evolution of telecommunications services in the recent times has been of great advantage by aiding the overall economic and social development of the country, enabling better connectivity among users and emergence of a variety of new business models and increasing the use of information and communication technology services (ICT) services. Moreover, the user’s interaction with the modern ICT services through any form of content lately has increased the quantity and value of data that is being generated in large amounts. This leap in the generation of data to 9 times the earlier amount in the last two years has enabled (i) businesses/agencies to monetise their products/services and gain a competitive edge over others, (ii) government agencies to efficiently deliver services and prevent/handle crimes, by the use of tools like data collection, storage and analytics. (para 1.1 to 1.2)
While recognizing the benefits and potential of data analytics, the rights of individuals in association with data protection i.e. the ability of individuals to understand/control the access/use of their information by others, also needs to be given due importance specifically the issue of informational privacy. In this context, establishing the ownership of the data is imperative which also brings in the dimension of empowerment to the user. (para 1.3 to 1.4)
The rationale for govt. intervention is to prevent harm to consumers in this sphere arises on account of: (i) issue of under-estimation by consumers about (a) the long term consequences of their actions while consenting to share their personal information to avail benefits (bounded rationality), (b) the value of their personal data and ignorance about the scale and use of their data collected by data users (information asymmetry), and (ii) issue of service providers generating, holding data and using it to get into adjacencies (data monopoly). (para 1.4)
The govt./authorized agencies should enable the growth of the industry either by creation of newer services. This could either be done by extracting all user data from a service and sharing it with another (data portability) or by creating anonymized public data sets to be used as test bed by newer service providers, thus (i) enabling the creation of innovative services by new players and (ii) ensuring a level playing field, which ultimately provide significant value to customers/businesses. In essence, this consultation paper aims to identify the key issues pertaining to data protection in relation to the delivery of digital services. (para 1.5 to 1.6)
Chapter II – Data Protection
Data protection - legal control over access to, use of data, stored in digital format - process of safeguarding digital information from corruption/loss.
A report of planning commission (Group of experts headed by J. A.P. Shah) on data privacy recommended formulation of sector and technology neutral bill by adoption of national level privacy principles:
i) Notice, Choice and Consent: DC shall give simple notice about what personal information is being collected, its purpose and use, disclosure to 3rd party, notification in case of breach to all users/individuals and shall give opt-in/opt-out choice to individuals in regards to providing their personal information, take consent after such notice.
ii) Collection, purpose limitation: DC shall collect information necessary for purposes identified and the data collected, processed should be adequate/relevant to the purpose.
iii) Access and correction: Individuals to have access to their information with DCs and be able to seek correction, amendment, deletion, if inaccurate.
iv) Disclosure of information and Security: Only disclose information to 3rd party after notice to and seeking consent of individual and to secure information using reasonable security safeguards.
v) Openness and Accountability: DC shall take steps to implement practices, procedures, policies, systems proportional to scale, scope, sensitivity to data collected to ensure compliance with privacy principles and make this information available to individuals and shall also be accountable for complying with measures which give effect to privacy principles. (para 2.2)
[*Data controller (DC) - any organisation that determines purposes/means of processing user’s personal information]
These principles can be considered a starting point to examine the soundness of the current framework that governs data protection in the current digital ecosystem. Whereas it is also imperative to consider the challenges relating to aspects of high variety, velocity, volume of data and issues like accessibility, accuracy, reliability of data, harmonization of standards that arise in the context of data with increase in use. (para 2.3)
Telecommunications and data protection
In order to protect the privacy of users of telecom services, it is important to ascertain aspects like ownership rights, authority to use,transact,delete personal data which is currently ambiguous and ensure TSPs and data controllers involved are bound to follow certain safeguards while collecting,storing,using data of subscribers which they gain access while delivering their services. Moreover, the report of the planning commission after a review of the current telecom regulatory framework upheld the privacy principles enumerated above and also noted both the elements already in place and elements missing in the framework. (para 2.4 to 2.5)
Telecom sector-specific requirements (An overview of the current framework)
TSP’s bound by no. of requirements that flow from sector specific laws and conditions and general provisions as per Information Technology Act, 2000 relating to data protection.
a) India Telegraph Act, 1885 puts a general obligation on telecommunication service providers (TSPs) to prevent unauthorized interception of messages and maintain secrecy. (Sections 24, 25, 26, 30 and Rules)
b) Unified license agreement contains requirements relating to data protection. (Clause 37, 39.12)
c) Initiatives taken by TRAI – Directive to all TSPs ensuring compliance of terms and conditions of license in regards to confidentiality of information of subscribers and privacy of communications.
d) IT Act contains provisions for TSPs/intermediaries relating to data protection and interception of information by authorized agencies. The grounds of interception under the IT Act has a wider scope on comparison to Telegraph Act. (Section 43A, 72A and Rules) (para 2.6)
Security of the telecommunications network
It is imperative to safeguard the telecom infrastructure through adequate security measures from potential vulnerabilities and to preserve data confidentiality. Also, this sector is a key pillar of critical national infrastructure and requires security as vulnerabilities lead to disruption of basic services, severely impacts citizens and businesses and delivery of public services.
Confidence in the network and services offered to customers/subscribers, public authorities demand to ensure availability of services, fair competition, privacy protection, security to safeguard operation and business interests of network/service providers and meet obligations mark the requirements of network security framework. Also, Section 70 of IT Act declares certain areas as critical information infrastructure (CII). (para 2.7 to 2.8)
Chapter III - Stakeholders: Digital Eco System
The privacy concerns that relate to services provided by TSPs also emanate from the activities of variety of other stakeholders like content/application service providers, device manufacturers, browsers, operating systems etc. that process/control the personal data of users.
Ways in which data of users can be accessed and controlled by these stakeholders:
i) Cookies and fingerprinting – Cookies allow a website to identify a user’s device and can be of various types such as session, persistent, first party and third party cookies. However, the general users have low awareness about the use, beneficial and harmful objectives of deploying cookies. Device fingerprinting uses various information elements transmitted by a device in order to identify it which is used as an alternative for cookies to track internet behavior over time.
ii) Permission taken by applications – Software applications pose data protection concerns by allowing the app owners/stores, operating systems, device manufacturers and analytics/ advertising providers to collect vast amount of data of the user from their device and process it for business purposes. Apps also collect information about others people through consenting customers as the users allowing access don’t understand the implications of granting consent and sometimes they do not have an effective choice due to the uneven bargaining power of the provider. Further, the lack of security mechanisms in these apps, like a malware attack on vulnerable apps also pose a concern.
iii) Generally, operating systems as intermediaries set rules in terms of permissions sought by apps, provide disclosures and transparent to users in regards to privacy controls. But there is also a need to consider appropriate mechanisms for the timely detection and reporting of any threats as the use of proprietary codes and systems contributes to an increase in the vulnerabilities of certain types of systems.
iv) The growth in adoption of Internet of Things (IoT) devices also raises concern about the nature and extent of data collected by devices, the purpose for which it can be used and security of these devices as devices and equipments used by individuals to connect to various networks gather large volumes of data about user’s behaviour. (para 3.1)
The issues above to an extent are catered to by the provisions of IT Act but a more comprehensive privacy and data protection law for the country still needs to be formulated to address issues of identifying the categories of data that needs protection, the stakeholders that would be bound by requirements of data protection and the obligations to be cast on them and mechanism for proper enforcement of these obligations. Moreover, the scope of personal data keeping in mind changes in technology and methods of aggregation needs to be broadened as data protection regulations have always been focused on personal data as it is attributable to individuals which has an ability to generate greater harm. (para 3.2 to 3.3)
Essential elements for a data protection framework
It will be useful to build a technology framework which monitors the uses of data and its compliance with regulations as the growth in use of data also requires the regulations to cope with the volume and diversity of usage. An appropriate safety and security mechanism to preserve the infrastructure and systems of providers is also required because data breaches not only expose personal information but also have financial and reputational consequences. The stakeholders involved also need to improve awareness and understanding of consumers in regards to use and protection of data. Also, the issues of cross-border transfer of data and exercise of jurisdiction over service provider which currently is absent in the country are becoming relevant. All these issues needs to be addressed in a manner that balances the requirements of business innovation, efficiency and security to ensure an effective solution on data protection. (para 3.4 to 3.7)
Chapter 4 - Data Protection Framework in other countries
The Directive on Privacy and Electronic Communications (ePrivacy Directive) sets out rules for providers of traditional electronic communication services to manage subscriber’s data. It also lays down directives in regards to confidentiality of electronic communications, security obligations, confidentiality of terminal equipment, processing of traffic and location data etc. A regulation on Privacy and Electronic Communications has been proposed to update current rules to adapt to technical developments and the new General Data Protection Regulation (GDPR) framework adopted to ensure confidentiality of electronic communications regardless of technology used.
GDPR - protects personal data, applies to all sectors, requires consent of data subject, provides data breach notifications, requires privacy by design, conditions applicable to transfer of data across borders. It does cover business-to-business communication/communication between individuals which does not include personal data.(para 4.1 to 4.3)
The Federal Trade Commission implements the federal consumer protection law that prohibits unfair/deceptive practices and applies to offline, online privacy and data security policies. Further, the Federal Communications Commission enacted broadband privacy rules aimed at greater choice, transparency and security protections for personal data. (para 4.4 to 4.6)
Chapter 5 - Issues of Consultation
Questions posed to stakeholders to obtain views on next steps for a comprehensive consultation on data protection in telecom sector and other areas of digital ecosystem. Answers/comments to issues should be supported with justification. They can also comment on other issues related to data privacy and security in telecom sector with details.