The curious TRAI take on privacy as India awaits Justice Srikrishna committee recommendations

Vinay Kesari July 19, 2018

India’s telecom regulator released its recommendations on privacy this Monday. Predictably, headlines seized on some of the splashier recommendations: that users ‘own their own data’, they ‘should be given the rights to consent, data portability, and to be forgotten’, and that ‘privacy by design principles should be applicable to all entities in the digital ecosystem’.

While the recommendations make some encouraging noises, it’s important to understand which parts are rhetoric and which parts are more likely to actually influence telecom policy and regulation.

What are TRAI’s powers?

Some regulatory background on Telecom Regulatory Authority of India (TRAI)  is required in order to understand why its recommendations need to be parsed carefully. Under Section 11 the TRAI Act, its ability to conduct consultations is carefully circumscribed. It is authorised to conduct consultations on issues related to telecom licensing, telecom services, the telecom industry, telecom technology, and spectrum management. What is also key is to understand that TRAI’s recommendations are just that: recommendations. The department of telecommunications (DoT), which receives these recommendations, is free to act on them or discard them entirely. And it has taken the latter course with increasing frequency in the last few years, even as the sheer number of TRAI consultations has gone up substantially under its current chairman R S Sharma.

Trai Chairman R S Sharma.

Why has this happened? Viewed simply, a number of TRAI’s consultations have shifted away in their subject matter from the domain of telecom to the internet. And TRAI, as well as the DoT, are not India’s internet regulator, a job which instead belongs to the Ministry of Electronics and IT (MEITy). Therefore, TRAI’s recommendations on issues which fall clearly within the domain of the internet (and not just internet connectivity) arguably aren’t even capable of being implemented by DoT, even if it accepted them. The government’s ‘allocation of business’ rules make it clear that policy matters related to the internet (except licensing of ISPs) falls squarely within MEITy’s domain alone. Therefore a number of TRAI’s recommendations (such as those relating to users of online services owning their own data, or restraining online services from using metadata to identify users) simply cannot be turned into regulation by DoT.

How does TRAI’s consultation interface with the Justice Srikrishna committee on data protection?

The timing and content of the consultation and recommendations are bound to raise bureaucratic hackles, given that regulators tend to be territorial and this looks a bit like a land grab.  

This brings us back to the current consultation and resulting recommendations, whose full title is ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. So far so good – it has the words ‘telecom sector’ in it, so TRAI appears to be staying in its lane. But even a quick check of the consultation’s scope reveals that only one out of the four objectives (‘to assess the adequacy and efficiency of data protection measures currently in place in the telecom sector’) appears to clearly fall within TRAI’s telecom remit. Many of the recommendations are explicitly aimed at ‘all entities in the digital ecosystem’, which TRAI believes includes ‘telecom service providers, devices, operating systems, browsers, applications, etc.’ That covers pretty much anyone providing a service over, or related to, the internet.

When TRAI had initiated its consultation August 9 last year just a week after the Justice Srikrishna committee on data protection had been constituted by MEITy, chairman Sharma had clarified that the regulator’s consultation would merely form an ‘input’ to the Justice Srikrishna committee. This avoided setting up a direct clash. Yet, the timing and content of the consultation and recommendations are bound to raise bureaucratic hackles, given that regulators tend to be territorial and this looks a bit like a land grab. It is also possible that TRAI is setting itself up to step into the breach in case the Justice Srikrishna committee’s draft law is not passed expeditiously by Parliament. This, by the way,  looks like an increasing possibility as the release of the committee’s report has already seen multiple delays and as questions hang over Parliament’s ability to function as general elections approach.

Which recommendations fall more clearly within TRAI’s remit?

So does all of this mean that the TRAI recommendations are mere signalling or is it ‘jumping the gun’ as some quarters suggest? Maybe not. Some of the recommendations stand out because they fall under categories where TRAI and DoT have the power to issue regulations or at least strongly influence policy or stakeholders. These are the ones to watch:

  1. Recommendation 3.3(c) of the report states:

For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.

This is an interesting one. The ‘Electronic Consent Framework (ECF)’ was introduced by MEITy in the context of its ambitious DigiLocker programme, and is very closely linked to IndiaStack’s ‘Data Empowerment and Protection Architecture (DEPA)’, which clearly has its eye on financial information. The ECF relies on digitising the giving and revocation of consent for data sharing and is clearly sector-agnostic in its architecture. The mention of ECF here by TRAI implies that apart from MEITy, TRAI (and, perhaps by extension, DoT) is also on board with this framework. What could this mean for the telecom sector though? As suggested by an IndiaStack representative (look for it at the 3m:20s mark), one possibility is that valuable (albeit sensitive) customer information which is currently held only by telcos, such as billing data, could be shared with third-party apps, thus breaking down some siloes and enabling new business cases.

  1. Recommendation 3.4(a) of the report states:

Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors.

This would bring the security of India’s telecom networks out of the stone age, which they are currently forced to inhabit (at least on paper) because of highly outdated provisions in the telecom licences which prevent ‘bulk encryption’, and in a few cases even restrict encryption key lengths to a laughable 40 bits. While these provisions might have once been introduced because India’s security agencies lacked the ability to break strong encryption, new surveillance programs such as the Centralised Monitoring System and the migration of a lot of communication to OTT services not covered by the telecom licence may have prompted this recommendation. This is obviously a good thing for telecom users in India – among other things, it will make them less vulnerable to unauthorised ‘off-the-air’ interception techniques, which are used illegally for both government and corporate espionage.

  1. Recommendation 3.3(h) of the report states:

It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part o the basic functionality of the device, if he/she decides. Also, the user should be able to download the certified applications at his/her own will and the devices should in no manner restrict such actions by the users.

This recommendation is aimed at bundled applications and bloatware on handsets. While handsets are considered ‘electronics’ and, therefore, fall within the regulatory remit of MEITy, TRAI has clearly demonstrated its ability to influence device/OS manufacturers in its recent dispute with Apple over TRAI’s ‘do not disturb’ app: Apple took the fairly unprecedented step of adding the ability to report SMS and call spam to iOS 12.  If this recommendation is somehow implemented, it could affect OS and device manufacturers, as well as telcos such as Jio with an integrated strategy of telecom plus OTT services. While the timing is surely coincidental, this recommendation is particularly relevant in light of the staggering $5 billion fine just imposed by the EU on Google, related to bundling of apps as well as access to the Google Play Store. Depending on exactly how one reads this recommendation, it arguably covers both of these issues.  Overall, this recommendation could place roadblocks in front of some monetisation strategies for multiple players.

Conclusion

In the ideal scheme of things, TRAI should perhaps have restricted the scope of this consultation to data protection standards to be followed by telecom companies with respect to the wealth of data which they collect and hold, including call records and internet browsing history. This would have been a meaty subject in and of itself – there is currently little clarity on what telcos can and cannot do with the sensitive information which they hold, and how they can monetise it. It would have also been compatible with a disciplined regulatory process where the Srikrishna Committee would have come up with overarching principles while sectoral regulators (such as TRAI or the Reserve Bank of India) would still be free to come up with more granular data protection regulations in their respective sectors. This approach has muddied the waters somewhat and it will be interesting to see how the incoming TRAI chairperson (R S Sharma is set to retire on August 10) envisions the regulator’s role.

About the author: Vinay Kesari is a lawyer specialising in technology law and policy. As a recent immigrant to Koramangala, he also harbours entrepreneurial ambitions. He tweets at @vinaykesari.