COAI wants telco-like regulation for all communication service providers

In response to the Telecom Regulatory Authority of India’s (TRAI) consultation paper on data protection, the Cellular Operators Association of India (COAI) has demanded that other communication service providers be regulated as strictly as telecom operators.

Asking for a level playing field, COAI said that the treatment of telcos was “widely different” from other stakeholders on security requirements. Many similar voice and text-based services were not subjected to regulations, such as setting lawful interception and monitoring systems, ensuring protection of privacy and confidentiality of subscriber information, restrictions on sending user information abroad, and on employing bulk encryption equipment, among others.

It said that telecommunications service providers (TSPs) act as data controllers and inform the user while collecting data and its purpose. Other digital entities do not act as such. COAI has asked for a set of regulatory principles to be established for digital entities to act as data controllers.

Some of the other suggestions given by COAI are as follows:

On user consent

COAI was of the opinion that law must recognise the difference between personally identifiable and anonymised information when it comes to regulations. It said that user consent should be required only if the user’s data was shared in an identifiable format, and not when it was anonymised or aggregated. However, the privacy policy of the company should include the purpose of the use of such data and its recipient, if it’s being shared.

Notably, personal information is defined as information that relates to a natural person, and is capable of identifying a person directly or indirectly. Sensitive personal information includes passwords, financial information, health conditions and medical record, sexual orientation, and biometric information.

COAI also wrote about a person’s right to be forgotten, which should require deletion of his/her personal data once they terminate the service.

Auditing data use

On the question of technology to audit the use of personal data and associated consent, COAI said that creating such architecture would be “difficult”. Instead, it advocated for internal or third party audits on adherence of rules.

Data sharing

COAI was against the establishment of a data repository or sandbox by the government with anonymised data sets that can be used for developing newer services. “Each entity should be responsible for the data they own,” it said. Interestingly, the body has, in the same document, expressed that big data can be useful in building societal and economic benefits, and in Digital India and Smart City programmes. How such goals will be achieved without sharing data, was not clear in COAI’s responses.

The association has, however, advocated that government data must be made available in anonymised data sets, to be leveraged by companies.

Our take: Apart from its advocacy for stricter regulation for other stakeholders in the digital ecosystem, the association has not suggested any significant changes in the status quo on data protection. Its view against auditing technology may stand as a barrier to transparency.

Government committee on data protection

The Ministry of Electronics and IT has set up its own committee on data protection, led by former Supreme Court Justice BN Srikrishna. A consultation paper for the draft Data Protection Bill was issued in November last year, and stakeholders consultations meetings were held in Delhi, Hyderabad, Bangalore and Mumbai last month. It’s worth noting that the Srikrishna Committee will not make the stakeholder submissions public. More on this here.

Also Read:

Live Blog: TRAI Open house on data protection
Concerns about TRAI Consultation paper on Data Protection