{"id":1449,"date":"2018-07-26T15:45:23","date_gmt":"2018-07-26T23:45:23","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1449"},"modified":"2018-07-26T15:45:23","modified_gmt":"2018-07-26T23:45:23","slug":"indian-telecom-regulator-data-protection","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/","title":{"rendered":"Indian telecom regulator recommends data protection norms for the internet"},"content":{"rendered":"<p>The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release of their recommendations on data privacy in the telecom sector. While TRAI makes many recommendations that strengthen user rights, they also propose to extend the telecom regulatory framework to \u201call entities in the digital ecosystem\u201d, a change that would result in significant harm for users and the internet ecosystem. TRAI argues that until India has a comprehensive data protection law, the licence conditions that apply to telecom companies must apply to \u201ctelecom service providers, devices, operating systems, browsers, applications etc\u201d. We respectfully disagree with TRAIs claim that this framework is \u201cfairly robust\u201d in protecting user privacy. The license terms are not only an awkward fit in the context of non-telecom companies, but several conditions, like those relating to data localization, encryption, and law enforcement access, are themselves in need of urgent reform.<\/p>\n<p>TRAI\u2019s recommendations are just one of the many attempts by Indian regulators to fill the void left by the repeated delays in the release of the Justice Srikrishna Committee bill &#8212; the Committee established nearly a year ago by the Indian Ministry of Electronics and Information Technology to write the country\u2019s first data protection law. Other regulators getting into the fight include the Reserve Bank of India (RBI), which made the controversial announcement requiring all financial data to be <a href=\"https:\/\/in.reuters.com\/article\/india-data-localisation-exclusive\/exclusive-india-proposes-easing-local-data-storage-rules-for-foreign-payment-firms-document-idINKBN1K20K6\">localized<\/a> in India, and the Health Ministry, which has proposed its own <a href=\"https:\/\/www.google.com\/search?q=Digital+Information+Security+in+Healthcare+Act%E2%80%9D&amp;ie=utf-8&amp;oe=utf-8&amp;client=firefox-b-1-ab\">health data privacy bill<\/a>. Sectoral regulation can have many benefits under certain circumstances. But as regulators grow impatient with the delays in developing a comprehensive data protection framework, India risks splintering into problematic sectoral regulation that both expands these regulators\u2019 mandates and provides insufficient protections for users.<\/p>\n<p>So what does TRAI actually say?<\/p>\n<p><b>Applying telecom license conditions to the entire \u201cdigital ecosystem\u201d: <\/b><b>Making a bad problem worse <\/b><\/p>\n<p>TRAI Recommendation 3.1.b reads<\/p>\n<p><i>\u201cTill such time a general data protection law is notified by the Government, the existing Rules\/ License conditions applicable to TSPs for protection of users\u2019 privacy be made applicable to all the entities in the digital ecosystem\u201d <\/i><\/p>\n<ul>\n<li>\u00a0The license conditions referred to by TRAI include the \u201cUnified License\u201d (or UL) binding on all telecom service providers in India. Several of these terms are long overdue for reform, and in particular, we worry about the following:<\/li>\n<\/ul>\n<ul>\n<li><b>Access for security agencies<\/b>: (UL Condition 39.12): This license condition requires that entities, \u201cin the interests of security\u201d, set up \u201csuitable monitoring equipment\u201d as per the requirements of security agencies &#8211; \u201cas and when\u201d they may require them. This broadly worded obligation requires re-examination, particularly whether it fulfils the <a href=\"https:\/\/ajayshahblog.blogspot.com\/2017\/09\/an-analysis-of-puttaswamy-supreme.html\">proportionality standard<\/a> laid down by the Supreme Court of India in <i>Puttaswamy<\/i> v <i>Union of India <\/i>case.<\/li>\n<li><b>Data localization<\/b> (UL Condition 39.23.viii and 39.23.iii): These conditions prohibit the transfer of accounting or user information to servers outside India; and allow the government to mandate that traffic related to certain entities is localized \u201cfor security reasons\u201d. As we&#8217;ve argued, a broad data localization mandate, particularly for the fast-growing Indian digital economy, would be <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/06\/22\/data-localization-india\/\">bad for users, business, and security<\/a>.<\/li>\n<li><b>Prohibition of bulk encryption <\/b>(UL Condition 37.1): At Mozilla, we believe <a href=\"https:\/\/blog.mozilla.org\/blog\/2016\/02\/16\/help-us-spread-the-word-encryption-matters\/\">encryption is critical to the health of the Web<\/a>. The current license terms bluntly restrict any \u201cbulk encryption\u201d. While TRAI does acknowledge that encryption is critical to a safe and secure web, and recommends strengthening encryption standards in Indian policy, a clear recommendation for the repeal of this regressive condition is in order.<\/li>\n<\/ul>\n<p><b>Steps in the right direction: user rights, meaningful choice, breach notifications<\/b><\/p>\n<ul>\n<li>Somewhat at odds with their endorsement of the telecom license terms, TRAI also recommends several key data protection rights, including the right to meaningful consent, notice, and data portability. On the topic of consent and choice, TRAI provides helpful nuance for its application to the telecom and internet ecosystem. In particular:<\/li>\n<\/ul>\n<ul>\n<li><b>Ability to delete pre-installed apps: <\/b>We commend TRAI\u2019s recommendation that it should be \u201cmandatory for devices to incorporate provisions so that users can delete pre-installed applications, which are not part of the basic functionality of the service\u201d. As we recently argued in the context of the French regulators\u2019 suggestions on \u2018device neutrality\u2019, <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/05\/29\/arcep-report-device-neutrality\/\">\u201capplications should generally have the opportunity to become full replacements of default applications.\u201d \u00a0<\/a><\/li>\n<li><b>Mechanisms for vulnerability disclosure: <\/b>We welcome TRAI\u2019s recommendation for transparent vulnerability disclosure in the telecom sector. Accountability structures that incentivise disclosure are key to the security of the digital ecosystem. However, we emphasize that governments themselves must be part of and subject to such frameworks. Mozilla has <a href=\"https:\/\/blog.mozilla.org\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\">argued<\/a> for strong government vulnerability disclosure frameworks in the US and more recently, <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2018\/04\/Mozilla_EU-Cybersecurity-Act_Position-paper.pdf\">in Europe<\/a>.<\/li>\n<\/ul>\n<p>Finally, TRAI also recommends the \u201cElectronic Consent Framework\u201d developed by the Ministry of Electronics &amp; IT as a model technical solution to digitise the giving and revocation of consent as well as data transfers between entities. While the goal of empowering users is a noble one, before jumping to technical solutions, fundamental protections for users must be enshrined in law.<\/p>\n<p>As Mozilla has <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2018\/02\/Mozilla-submission-to-Srikrishna-Committee.pdf\">long argued<\/a>, India requires a comprehensive privacy and data protection law, grounded in individual rights and following the high standard set by the <i>Puttaswamy<\/i> judgment. Patchwork sectoral laws in the absence of a comprehensive data protection law are too weak a foundation for the protection of the fundamental right to privacy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/\">Read more<\/a><\/p>\n","protected":false},"author":1570,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[525,283226],"tags":[],"coauthors":[318936,290387],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Indian telecom regulator recommends data protection norms for the internet - Open Policy &amp; Advocacy<\/title>\n<meta name=\"description\" content=\"The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release of their recommendations on data privacy in the telecom sector.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Amba Kak, Jochai Ben-Avie\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/\",\"name\":\"Indian telecom regulator recommends data protection norms for the internet - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2018-07-26T23:45:23+00:00\",\"dateModified\":\"2018-07-26T23:45:23+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4\"},\"description\":\"The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release of their recommendations on data privacy in the telecom sector.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Indian telecom regulator recommends data protection norms for the internet\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4\",\"name\":\"Amba Kak\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/91cf773f2e4ece9b94c32f3018ee6f26\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g\",\"caption\":\"Amba Kak\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Indian telecom regulator recommends data protection norms for the internet - Open Policy &amp; Advocacy","description":"The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release of their recommendations on data privacy in the telecom sector.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/","twitter_misc":{"Written by":"Amba Kak, Jochai Ben-Avie","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/","name":"Indian telecom regulator recommends data protection norms for the internet - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2018-07-26T23:45:23+00:00","dateModified":"2018-07-26T23:45:23+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4"},"description":"The Telecom Regulatory Authority of India launched a new salvo this past week into the ongoing debate on the shape of the country\u2019s first data protection law, with the release of their recommendations on data privacy in the telecom sector.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/26\/indian-telecom-regulator-data-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"Indian telecom regulator recommends data protection norms for the internet"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4","name":"Amba Kak","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/91cf773f2e4ece9b94c32f3018ee6f26","url":"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g","caption":"Amba Kak"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1449"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1570"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=1449"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1449\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=1449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=1449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=1449"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=1449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}