Академический Документы
Профессиональный Документы
Культура Документы
This is the second post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the
consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) published by the Telecom
Regulatory Authority of India (TRAI) on 9th August, 2017.
In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total,
fifty-three (53) stakeholders – thirty (30) firms and organisations, nine (9) telecom service providers (TSPs), six (6) associations, four (4) consumer
advocacy groups and four (4) individuals – submitted detailed responses. Comments of all stakeholders are available here. Our comments to the
Consultation Paper are available here.
The mapping of stakeholders’ opinion, and the analysis of such mapping, is based on the interpretation of all the responses to the Consultation
Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests and comments, to rectify any such
ommission(s) or error(s) in this exercise, are duly invited.
Q6. Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data
sets which can be used for the development of newer services?
INSIGHTS
● 47.2% of the total respondents were in favour of the proposed data sandbox.
● 37.7% of the total respondents were not in favour of the proposed data sandbox.
● 5.7% of the total respondents responded without commenting specifically in favour of the proposed data sandbox.
● 9.4% of the total respondents provided no response to the question.
Observations
● There was a split amongst civil society organisations regarding the sufficiency of setting up of a data sandbox. Five of the civil society
organisations (namely, CIS, Consumer Protection Association, CUTS, Internet Democracy Project, IT for Change, sflc.in) were in favour of the
proposed data sandbox while two (2) stakeholders (Consumer’s Guidance Society and NLU-D) were not in favour. One (1) of the civil society
organization (Federation of Consumers and Service Organisations) opined ambiguously on the subject matter and two (2) (Internet Freedom
Association and Takshashila Institution) did not respond to the question.
● Majority of the telecom service providers (TSPs) were not in favour of the proposed data sandbox; six (6) TSPs did not want a data sandbox
(Airtel, Reliance Jio, Reliance Communications, Vodafone, Telenor and Tata Teleservices), as opposed to three (3) TSPs that did not oppose the
setting up of a data sandbox (BSNL, MTNL and AT&T). One (1) TSP (Idea Cellular Ltd.) offered suggestions but did not come out with a clear
stance.
● A slim majority of the industry associations was in favour of the proposed data sandbox. Six (6) supported setting up of a data sandbox (IAMAI,
ACTO, NASSCOM – DSCI, ITI, iSpirt and USIBC); while five (5) said that data sandboxes were not required (COAI, ISPAI, EGB Federation,
BIF and USISPF). ASSOCHAM and BSA did not opine on the subject matter. No response to the question was offered by ACT.
2 ACTO Yes Participation must be voluntary The government must make efforts to learn from,
participate in and encourage the development of best
practices in industry-led data-sharing platforms. Strong
encryption and other safeguards must be incorporated
3 ASSOCHAM Maybe Participation must be voluntary. Value should be created for the entire sector by creating
The government must not advocate for a conducive business environment that facilitates all
specific methods or types of innovation business models overall.
in the absence of strong evidence of
market failure.
4 COAI No Entities should be responsible for the The government must act as a catalyst and facilitator to
data they own. help market and negotiation based solutions take off.
The government data must be made available in a
government sandbox so that it may be leveraged by
companies to create innovative use cases.
5 GSMA Maybe Participation must be voluntary as The government must act as a catalyst and facilitator to
compelling entities to provide access to help market and negotiation based solutions take off.
data on a common sandbox, made Anonymised data generated by government systems
accessible to competitors might should be shared as it may boost innovation in business
disincentivize innovation by impacting without creating intellectual property and trade secret
IP and trade secrets. The government issues.
must only intervene in the event of a
market failure.
9 TRA Yes There must be no obligation on the To ensure clarity, vis-à-vis enforcement, “regulated
platform to place any personal un- companies” and “newer services” need to be defined.
aggregated information in the data Personal un-aggregated information should also include
sandbox. any data which may be reasonably linked to an
Aggregated, anonymised information individual or a device. Information, in an aggregated
should be placed in the proposed data form, may transform into personally identifiable
sandbox. information.
The aggregated, anonymized data sets sought to be
used for the data sandbox may not be used for any other
unauthorized, “extraneous purposes.”
10 NASSCOM - Yes Though a good idea given the status of Regulatory sandbox should be created to facilitate a
DSCI data rich economy India is en route to thriving environment for innovative ideas with regard
acquiring, sandboxing must not be to the regulatory landscape.The sandbox must be
mandated, but kept voluntary. technology neutral and in no way restrictive of
technology.
12 Zeotap India Pvt. No Centralized storage of such data is risky Companies should be mandated to use state of the art
Ltd. especially because the government, technologies and processes as per direction of
unlike companies, has no incentives to designated data protection agency, get regular
invest into the cutting edge technology. technology up-gradation and submit periodic third
party audit reports and certifications such as 27001 (or
equivalent).
13 Takshashila No Sought clarity on how the sandboxes are N/A
Institution response intended to be deployed.
14 ISACA Yes Data sandbox would be a valuable tool The ongoing work in Singapore should be considered
for developing new services and which is undertaking similar efforts.
fostering startup companies within the
FinTech sector.
15 IBM Yes Data sandboxes are highly beneficial to Dumping of “personal data” as “anonymous data”
the society as the world cross new should be discouraged. In addition to anonymization, it
milestones on the technological front. should be ensured that the entity providing the data
should not be one interested in revealing personal
identities.
16 MakeMyTrip No The data sandbox may only be relevant A strong regulatory framework, defining minimum
to specific businesses and hence is not protection standards, coupled with mandatory periodic
worth the effort. third party audit or certification provides adequate data
privacy protections.
17 Access Now Yes Any processing of metadata must be The processing of metadata, including traffic and
contingent on user’s consent. location data, should always be contingent on the user’s
consent as the risk of re-identification is very high.
Exceptions can be made for:
○ Billing and interconnection payments
where metadata may be stored and/or
processed only for the period during
which the bill may be lawfully
challenged.
○ Any automatic, intermediate and
transient storage insofar as it takes place
for the sole purpose of carrying out the
transmission in the electronic
communications network.
○ Processing of electronic
communications data to ensure the
security and continuity of the electronic
communications services.
19 ITI Yes Participation must be voluntary. Initiative There must be no mandatory across-the-board
must be developed in consultation with requirements on companies to create such anonymized
industry. data sets.
22 KOAN Yes N/A Regulatory sandboxes must also be set up as they help
incubate new technology solutions whilst
simultaneously informing regulators on good light
touch regulatory practices, encouraging sustainable
market growth.
25 Internet Yes N/A The data sandbox should be tested for ease of re-
Democracy identification using data sets and allow/disallow
Project specific uses for such data sets based on an impact
assessment.
Explore the proposed model as a regulatory sandbox to
examine ethical implications and regulatory
compliances of data usage before implementation at
large.
28 CIS Yes Participation must be voluntary and any Access to data must not be absolute and must be given
steps to compel contribution of data to through a tiered authorization model. Collaboration
curb monopolistic practices must ideally should be encouraged with the academia and industry
be undertaken by or in consultation with to prescribe robust data de-identification and security
the Competition Commission of India. measures that are followed by all participants as this
sort of an initiative can be a potential ‘honeypot’ for
fraudulent activities.
29 USIBC Yes Participation must be voluntary. Aspects of proprietary information and liability must be
clearly defined. The Singapore model based on
voluntary cooperation should be considered.
30 Disney No The rapid changes in technology and the Selective and targeted enforcement of existing laws
Broadcasting ever-increasing flow of data would make coupled with cooperation with the industry is
(India) Ltd the technology sandbox obsolete and recommended.
impractical having a stifling effect on
innovation.
31 BSA Maybe While it would be problematic to make De-identified data should be encouraged by not
participation mandatory, it would be considering it to be personal information.
valuable to have appropriately de-
identified datasets.
32 IT for Change Yes It is the government’s duty to take up It must be made obligatory for data companies to
such an enterprise in public interest. . contribute ‘data commons’ to the data sandbox and
they must be labelled as such and made available
equitably to all [“Data commons” refers to the data that
contributes to building granular digital intelligence
about an entity/ field/ sector which comes raw from the
social, physical and natural environment outside the
ownership realms of a body corporate, making the
ownership of the latter over such data questionable].
Since the responsibility of handling such data is
enormous, such a role must be entrenched in the
Constitution of India with the relevant powers defined
and circumscribed. Ultimately a “Data Institution” may
need to be set up as a constitutional body, fully
insulated from the executive.
33 SFLC.in Yes The data sandbox must be used in the The risks of re-identification must be addressed.
interest of public.
34 EBG No Data sandboxes maybe detrimental to Telecom Service Providers need to build more secure
Big data businesses. repositories for personal data.
Violative of Article 300A of the
Constitution.
35 AT&T Yes Participation in the data sandbox must be The government should focus on learning from and
voluntary and the initiative must not be encouraging best-practices rather than competing with
viewed as an exclusionary alternative. industry-driven solutions.
36 Broadband India No While monopolistic tendencies must be Data should be allowed to be accessed by academics or
Forum checked, they must not curb innovation. other researchers for public value rather than general
Mandating maintenance of data amounts publication of data sets (which has led to re-
to regulatory overreach. Private sector is identification in many cases), aided by laws creating
best positioned to develop solutions to standards for sharing and limited liability.
this problem. Publication of data sets by government agencies under
Proposed data sandboxing is violative of the open data policy for national planning and
Article 300A of the Constitution of India development purposes should be promoted and data
Trust reposed by big data businesses in portability from a consumer perspective should be
the Indian market must be preserved. encouraged.
40 Apurv Jain Yes Proposed model will bring regulatory Usage of the sandbox should be regulated based on the
clarity and drive innovation. genuineness of innovation, direct benefits to customers,
risks to confidential information and the readiness of
the product or service to be tested using the sandbox.
An open sandbox applicable to all with an option to
customize for special cases is appropriate for the Indian
telecom sector
41 RJIL No It would be prudent in public interest to A principle based guideline should be formulated for
continue to follow a light touch the industry to develop such mechanisms and it should
regulatory approach.. be followed up with auditory supervision and
Industry driven solutions, are better compliance testing.
placed to deal with advancements in
technology.
42 Bharti Airtel No The sharing of aggregate or anonymized The government should restrict itself to only providing
Limited data should be left to the commercial guidelines/laws for the creation and sharing of data,
needs of corporate bodies. applicable to all entities uniformly.
43 Idea Cellular Ltd. Maybe Participation in the proposed model must The government data must be made available in a
be voluntary and each entity should be government sandbox so that it may be leveraged by
responsible for the data that it owns. companies to create innovative use cases.
45 Reliance No Many niche companies that provide Licensees / registered data collection entities should be
Communications highly advanced data anonymization allowed to create and lend anonymized data sets since
Ltd. techniques create dummy data which can they are obligated to ensure security of the data of their
be hired and used for development of subscribers.
newer services.
48 Telenor No Businesses are in the best position to Licensed TSPs should be allowed to do data analytics
determine what data is relevant. for their consumers as this will enable better and more
The sandbox will provide new access relevant services to the consumers. Consumer
points increasing opportunities for protection should be ensured by having clear
privacy violations. regulations on the protection of this data at its source
(the data controller and its authorized data processors).
49 Vodafone No It should not be mandatory to share data The government data must be made available in a
available to a data controller by virtue of government sandbox so that it may be leveraged by
the service provided by it. companies to create innovative use cases.
51 CUTS Yes Setting up data sandboxes is an Regulatory sandboxes should be created as it would
encouraging initiative to drive research help understand consumer protection concerns and
and innovation activities among facilitate the self-regulatory forums to design
regulated companies. appropriate disclosure and grievance redress standards.
It must be ensured that sophisticated, informed
consumers are not eligible for extra protections
available to uninformed and retail consumers.
Intervention through regulation and other means should
take place only when consumer concerns cross a
predetermined threshold.
[This post is authored by Sushma S. Babu, a fourth year undergraduate student of HNLU, Raipur, during her interninship with TRA].