Mapping Stakeholders’ Responses to the TRAI Consultation Paper on Privacy, Security and Ownership of the

Data in the Telecom Sector

This is the second post, in a twelve (12) part series of posts, to map the opinions of all the stakeholders on the basis of their responses to the
consultation paper on Privacy, Security, and Ownership of the Data in the Telecom Sector (Consultation Paper) published by the Telecom
Regulatory Authority of India (TRAI) on 9th August, 2017.

In order to address key data privacy and security issues, the TRAI framed twelve (12) questions and invited comments to these questions. In total,
fifty-three (53) stakeholders – thirty (30) firms and organisations, nine (9) telecom service providers (TSPs), six (6) associations, four (4) consumer
advocacy groups and four (4) individuals – submitted detailed responses. Comments of all stakeholders are available here. Our comments to the
Consultation Paper are available here.

The mapping of stakeholders’ opinion, and the analysis of such mapping, is based on the interpretation of all the responses to the Consultation
Paper. A few details may have been lost during the interpretation of the responses. All suggestions, requests and comments, to rectify any such
ommission(s) or error(s) in this exercise, are duly invited.

Q6. Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data
sets which can be used for the development of newer services?

Broadly, stakeholders fell into one of four categories:

1. Those who responded in favour of the proposed data sandbox;

2. Those who were not in favour of the proposed data sandbox;
3. Those who responded without commenting specifically in favour of the proposed data sandbox; and
4. Those that did not answer this question.

INSIGHTS
● 47.2% of the total respondents were in favour of the proposed data sandbox.
● 37.7% of the total respondents were not in favour of the proposed data sandbox.
● 5.7% of the total respondents responded without commenting specifically in favour of the proposed data sandbox.
● 9.4% of the total respondents provided no response to the question.

Graph illustrating the breakdown of responses

Stakeholders who were in favour of a data sandbox:
1. Internet and Mobile Association of India (IAMAI)
2. Association Of Competitive Telecom Operators (ACTO)
3. TRA
4. National Association of Software and Services Companies – Data Security Council of India (NASSCOM – DSCI)
5. Information Systems Audit and Control Association (ISACA)
6. IBM
7. Access Now
8. Information Technology Industry Council (ITI)
9. Sigfox
10. KOAN Advisory
11. Internet Democracy Project
12. Citibank
13. iSPIRT
14. The Centre for Internet and Society, India (CIS)
15. USIBC (US India Business Council)
16. IT for Change
17. Software Freedom Law Centre (sflc.in)
18. AT&T Global Network Services India Pvt. Ltd. (AT&T)
19. Sangeet Sindan
20. Apurv Jain
21. Mahanagar Telephone Nigam Limited (MTNL)
22. Bharat Sanchar Nigam Limited (BSNL)
 23. Consumer Unity & Trust Society (CUTS)
24. Consumer Protection Association

Stakeholders who were not in favour of the proposed data sandbox:

1. Cellular Operators Association of India (COAI)
2. GSM Association (GSMA)
3. Internet Service Providers Association of India (ISPAI)
4. National Law University, Delhi (NLU-D)
5. Zeotap India Pvt. Ltd.
6. MakeMyTrip
7. U.S. India Strategic Partnership Forum (USISPF)
8. Exotel Techcom Pvt. Ltd.
9. Internet Freedom Foundation
10. Mozilla Corporation
11. Disney Broadcasting (India) Ltd.
12. EBG Federation (EBG)
13. Broadband India Forum
14. Reliance Jio Infocomm Limited (RJIL)
15. Bharti Airtel Limited
16. Reliance Communications Ltd.
17. Tata Teleservices Ltd. (TTL)
18. Telenor India
19. Vodafone
20. Consumer’s Guidance Society

Stakeholders who were ambiguous about the proposed data sandbox:

1. The Associated Chambers of Commerce of India (ASSOCHAM)
2. Business Software Alliance (BSA)
3. Federation Of Consumers And Service Organizations
4. Idea Cellular Ltd.

Stakeholders that did not respond:

1. Takshashila Institution
2. Span Technologies
3. Association for Competitive Technology (ACT)
4. Redmorph
5. Baijayant Jay Panda

Stakeholders who emphasised that participation in the sandbox must be voluntary:

1. IAMAI
2. ACTO
3. NASSCOM - DSCI
4. ITI
5. CIS
 6. USIBC AT&T Idea Cellular Ltd.
7. GSMA
8. ASSOCHAM

Stakeholders who suggested that a regulatory sandbox be set up:

1. COAI
2. NASSCOM - DSCI
3. KOAN
4. Internet Democracy Project
5. CIS
6. Broadband India Forum
7. Idea Cellular Ltd.
8. Vodafone
9. CUTS

Observations
● There was a split amongst civil society organisations regarding the sufficiency of setting up of a data sandbox. Five of the civil society
organisations (namely, CIS, Consumer Protection Association, CUTS, Internet Democracy Project, IT for Change, sflc.in) were in favour of the
proposed data sandbox while two (2) stakeholders (Consumer’s Guidance Society and NLU-D) were not in favour. One (1) of the civil society
organization (Federation of Consumers and Service Organisations) opined ambiguously on the subject matter and two (2) (Internet Freedom
Association and Takshashila Institution) did not respond to the question.
● Majority of the telecom service providers (TSPs) were not in favour of the proposed data sandbox; six (6) TSPs did not want a data sandbox
(Airtel, Reliance Jio, Reliance Communications, Vodafone, Telenor and Tata Teleservices), as opposed to three (3) TSPs that did not oppose the
setting up of a data sandbox (BSNL, MTNL and AT&T). One (1) TSP (Idea Cellular Ltd.) offered suggestions but did not come out with a clear
stance.
● A slim majority of the industry associations was in favour of the proposed data sandbox. Six (6) supported setting up of a data sandbox (IAMAI,
ACTO, NASSCOM – DSCI, ITI, iSpirt and USIBC); while five (5) said that data sandboxes were not required (COAI, ISPAI, EGB Federation,
BIF and USISPF). ASSOCHAM and BSA did not opine on the subject matter. No response to the question was offered by ACT.

Responses Mapped in the Table

The following table was prepared after an analysis of all fifty-three (53) responses to the Consultation Paper. The table identifies the stances of the
stakeholders and their response to the question. It also states the suggestions they have made to the TRAI in view of the question posed.

Sl. Stakeholder Response Stance Suggestions

No
1 IAMAI Yes Participation must be voluntary as Only raw data and not processed or analyzed data must
compelling entities to provide access to be shared. Collaboration between private entities to set
data on a common sandbox, made up such sandboxes, including by way of ‘public-
accessible to competitors, might private partnership’, should be incentivized. Outputs so
disincentivize innovation. It would also obtained should be made open source.
be violative of the right guaranteed under Publication of data by government agencies under the
Article 300A and Article 19(1)(g) of the open data policy should be promoted.
Constitution.

2 ACTO Yes Participation must be voluntary The government must make efforts to learn from,
participate in and encourage the development of best
practices in industry-led data-sharing platforms. Strong
encryption and other safeguards must be incorporated

3 ASSOCHAM Maybe Participation must be voluntary. Value should be created for the entire sector by creating
The government must not advocate for a conducive business environment that facilitates all
specific methods or types of innovation business models overall.
in the absence of strong evidence of
market failure.

4 COAI No Entities should be responsible for the The government must act as a catalyst and facilitator to
 data they own. help market and negotiation based solutions take off.
The government data must be made available in a
government sandbox so that it may be leveraged by
companies to create innovative use cases.

5 GSMA Maybe Participation must be voluntary as The government must act as a catalyst and facilitator to
compelling entities to provide access to help market and negotiation based solutions take off.
data on a common sandbox, made Anonymised data generated by government systems
accessible to competitors might should be shared as it may boost innovation in business
disincentivize innovation by impacting without creating intellectual property and trade secret
IP and trade secrets. The government issues.
must only intervene in the event of a
market failure.

6 ISPAI No Data sandboxes would hamper emerging N/A

dynamic business models.

7 NLU-D No Absolute anonymization of data may not N/A

be possible putting thereby risking
violation of the right to privacy.
8 Span No response N/A N/A
Technologies

9 TRA Yes There must be no obligation on the To ensure clarity, vis-à-vis enforcement, “regulated
platform to place any personal un- companies” and “newer services” need to be defined.
aggregated information in the data Personal un-aggregated information should also include
sandbox. any data which may be reasonably linked to an
Aggregated, anonymised information individual or a device. Information, in an aggregated
should be placed in the proposed data form, may transform into personally identifiable
sandbox. information.
The aggregated, anonymized data sets sought to be
used for the data sandbox may not be used for any other
unauthorized, “extraneous purposes.”

10 NASSCOM - Yes Though a good idea given the status of Regulatory sandbox should be created to facilitate a
DSCI data rich economy India is en route to thriving environment for innovative ideas with regard
acquiring, sandboxing must not be to the regulatory landscape.The sandbox must be
mandated, but kept voluntary. technology neutral and in no way restrictive of
technology.

Clarifications sought by companies regarding

 regulations should be addressed in a time-bound
fashion. Conditions of industry reporting and disclosure
shouldn’t be onerous in nature. Instead of exploring just
one technique of testing and developing newer services,
a framework should be set up to encourage
organizations to develop services without impacting
privacy of individuals.

The data collected, generated and processed by the

government and businesses should be adequately
protected.

11 ACT No N/A N/A

response

12 Zeotap India Pvt. No Centralized storage of such data is risky Companies should be mandated to use state of the art
Ltd. especially because the government, technologies and processes as per direction of
unlike companies, has no incentives to designated data protection agency, get regular
invest into the cutting edge technology. technology up-gradation and submit periodic third
party audit reports and certifications such as 27001 (or
equivalent).
13 Takshashila No Sought clarity on how the sandboxes are N/A
Institution response intended to be deployed.

14 ISACA Yes Data sandbox would be a valuable tool The ongoing work in Singapore should be considered
for developing new services and which is undertaking similar efforts.
fostering startup companies within the
FinTech sector.

15 IBM Yes Data sandboxes are highly beneficial to Dumping of “personal data” as “anonymous data”
the society as the world cross new should be discouraged. In addition to anonymization, it
milestones on the technological front. should be ensured that the entity providing the data
should not be one interested in revealing personal
identities.

Consent for anonymization may be obtained at the time

of data collection. If consent for use of personal data
for analytics has been obtained, the data derived from
the analysis of multiple such datasets may be used as
“anonymous” data.
State should be able to classify certain personal data as
“anonymous” after masking/deleting certain data
identification information.There must be no mandatory
across-the-board requirements on companies to create
such anonymized data sets.

Organizations that commit to anonymizing personal

information must be permitted to process data and
disclose it to third parties without requiring the consent
of data subjects or being held to the same obligations
that apply to identifiable data.
Incentivize voluntary creation of datasets and
“pseudonymization” of data where anonymization is
not possible by offering liability protections or
decreased compliance burdens. Standards of
anonymization must be technology neutral.

UK’s ICO’s advanced risk-based approach should be

adopted. It should be recognised that perfect
 anonymization is an oft-unachievable ideal. Companies
should be encouraged to use technical and contractual
measures to mitigate risk until the probability of re-
identification is remote.

Keeping in mind the technological advancements made

using big data analytics and machine learning, the
principle of data minimization must be revisited to
maximize the socioeconomic benefits of these
innovations.

16 MakeMyTrip No The data sandbox may only be relevant A strong regulatory framework, defining minimum
to specific businesses and hence is not protection standards, coupled with mandatory periodic
worth the effort. third party audit or certification provides adequate data
privacy protections.

17 Access Now Yes Any processing of metadata must be The processing of metadata, including traffic and
contingent on user’s consent. location data, should always be contingent on the user’s
consent as the risk of re-identification is very high.
Exceptions can be made for:
○ Billing and interconnection payments
 where metadata may be stored and/or
processed only for the period during
which the bill may be lawfully
challenged.
○ Any automatic, intermediate and
transient storage insofar as it takes place
for the sole purpose of carrying out the
transmission in the electronic
communications network.
○ Processing of electronic
communications data to ensure the
security and continuity of the electronic
communications services.

Data security measures must be put in place by service

providers to protect data integrity and prevent breach.
They must also ensure that the data is not reasonably
linkable so far as is practicable.

18 USISPF No Unnecessary in a technology-based and N/A

innovation-driven ecosystem, towards
 which India is moving.
Violative of Article 300A of the
Constitution as data, especially
copyrighted data, amounts to property.
Big data businesses which have invested
huge amounts in the Indian market
trusting in their right to trade and such
rights must be respected.

19 ITI Yes Participation must be voluntary. Initiative There must be no mandatory across-the-board
must be developed in consultation with requirements on companies to create such anonymized
industry. data sets.

Incentivize voluntary creation of datasets and

“pseudonymization” of data where anonymization is
not possible by offering liability protections or
decreased compliance burdens. Standards of
anonymization must be technology neutral.

UK’s ICO’s advanced risk-based approach should be

adopted. Perfect anonymization is an oft-unachievable
 ideal. Therefore, companies should be encouraged to
use technical and contractual measures to mitigate risk
until the probability of re-identification is remote.

Keeping in mind the technological advancements made

using big data analytics and machine learning, the
principle of data minimization must be revisited to
maximize the socioeconomic benefits of these
innovations.

20 Sigfox Yes N/A Datasets should be managed by one or several

regulated companies, providing for a more open-
innovation environment that fosters technical-
development.

21 Exotel Techcom No It is a breach of user privacy and N/A

Pvt. Ltd. confidentiality agreement with clients as
perfect anonymization is almost
impossible.

22 KOAN Yes N/A Regulatory sandboxes must also be set up as they help
 incubate new technology solutions whilst
simultaneously informing regulators on good light
touch regulatory practices, encouraging sustainable
market growth.

Businesses should be incentivized to share data. It must

be ensured that ministries and departments regularly
update pertinent information and data on open-source
websites like data.gov.in.

There must be clarity as to the scope for

experimentation in the data sandbox. Mechanisms to
monitor and identify risks that may emerge from newly
tested products must be put in place.

23 Internet Freedom No The functions of TRAI is at best limited N/A

Foundation to “promote and ensure orderly growth
of the telecom sector” and it should focus
on the same, and thus not venture into
promotion of data-focused business
models that include risks to data
 protection and user privacy.

24 Mozilla No Inappropriate for the government to do N/A

Corporation so and inconsistent with the principles
developed by the Justice A.P. Shah Panel
such as notice, choice, consent, purpose
limitation, collection limitation, or right
to object. Further, it is violative of the
right to privacy as absolute
anonymization is unlikely.

25 Internet Yes N/A The data sandbox should be tested for ease of re-
Democracy identification using data sets and allow/disallow
Project specific uses for such data sets based on an impact
assessment.
Explore the proposed model as a regulatory sandbox to
examine ethical implications and regulatory
compliances of data usage before implementation at
large.

26 Citibank Yes N/A N/A

27 iSPIRT Yes Improves transparency and development N/A
of new services.

28 CIS Yes Participation must be voluntary and any Access to data must not be absolute and must be given
steps to compel contribution of data to through a tiered authorization model. Collaboration
curb monopolistic practices must ideally should be encouraged with the academia and industry
be undertaken by or in consultation with to prescribe robust data de-identification and security
the Competition Commission of India. measures that are followed by all participants as this
sort of an initiative can be a potential ‘honeypot’ for
fraudulent activities.

Goals and appropriate uses of the sandbox must be

defined to prevent misuse. This could also be used as a
mechanism to define and determine access. In addition,
regulatory sandboxes should be created.

29 USIBC Yes Participation must be voluntary. Aspects of proprietary information and liability must be
clearly defined. The Singapore model based on
voluntary cooperation should be considered.

Organizations that commit to anonymizing personal

 information must be permitted to process data and
disclose it to third parties without requiring the consent
of data subjects or being held to the same obligations
that apply to identifiable data.(Eg: Mexico, Japan, EU-
GDPR). Standards of anonymization must be
technology neutral.

UK’s ICO’s advanced risk-based approach should be

adopted. Perfect anonymization is an oft-unachievable
ideal. Therefore, companies shoud be encouraged to
use technical and contractual measures to mitigate risk
until the probability of re-identification is remote.

30 Disney No The rapid changes in technology and the Selective and targeted enforcement of existing laws
Broadcasting ever-increasing flow of data would make coupled with cooperation with the industry is
(India) Ltd the technology sandbox obsolete and recommended.
impractical having a stifling effect on
innovation.

31 BSA Maybe While it would be problematic to make De-identified data should be encouraged by not
participation mandatory, it would be considering it to be personal information.
 valuable to have appropriately de-
identified datasets.

32 IT for Change Yes It is the government’s duty to take up It must be made obligatory for data companies to
such an enterprise in public interest. . contribute ‘data commons’ to the data sandbox and
they must be labelled as such and made available
equitably to all [“Data commons” refers to the data that
contributes to building granular digital intelligence
about an entity/ field/ sector which comes raw from the
social, physical and natural environment outside the
ownership realms of a body corporate, making the
ownership of the latter over such data questionable].
Since the responsibility of handling such data is
enormous, such a role must be entrenched in the
Constitution of India with the relevant powers defined
and circumscribed. Ultimately a “Data Institution” may
need to be set up as a constitutional body, fully
insulated from the executive.

33 SFLC.in Yes The data sandbox must be used in the The risks of re-identification must be addressed.
interest of public.
34 EBG No Data sandboxes maybe detrimental to Telecom Service Providers need to build more secure
Big data businesses. repositories for personal data.
Violative of Article 300A of the
Constitution.

35 AT&T Yes Participation in the data sandbox must be The government should focus on learning from and
voluntary and the initiative must not be encouraging best-practices rather than competing with
viewed as an exclusionary alternative. industry-driven solutions.

36 Broadband India No While monopolistic tendencies must be Data should be allowed to be accessed by academics or
Forum checked, they must not curb innovation. other researchers for public value rather than general
Mandating maintenance of data amounts publication of data sets (which has led to re-
to regulatory overreach. Private sector is identification in many cases), aided by laws creating
best positioned to develop solutions to standards for sharing and limited liability.
this problem. Publication of data sets by government agencies under
Proposed data sandboxing is violative of the open data policy for national planning and
Article 300A of the Constitution of India development purposes should be promoted and data
Trust reposed by big data businesses in portability from a consumer perspective should be
the Indian market must be preserved. encouraged.

37 Sangeet Sindan Yes A data sandbox will better risk N/A

 management, creation of new
opportunities and innovation of
technology, efficiency and protection of
consumers.

38 Redmorph No N/A N/A

response

39 Baijayant Jay No N/A N/A

Panda response

40 Apurv Jain Yes Proposed model will bring regulatory Usage of the sandbox should be regulated based on the
clarity and drive innovation. genuineness of innovation, direct benefits to customers,
risks to confidential information and the readiness of
the product or service to be tested using the sandbox.
An open sandbox applicable to all with an option to
customize for special cases is appropriate for the Indian
telecom sector

41 RJIL No It would be prudent in public interest to A principle based guideline should be formulated for
continue to follow a light touch the industry to develop such mechanisms and it should
 regulatory approach.. be followed up with auditory supervision and
Industry driven solutions, are better compliance testing.
placed to deal with advancements in
technology.

42 Bharti Airtel No The sharing of aggregate or anonymized The government should restrict itself to only providing
Limited data should be left to the commercial guidelines/laws for the creation and sharing of data,
needs of corporate bodies. applicable to all entities uniformly.

43 Idea Cellular Ltd. Maybe Participation in the proposed model must The government data must be made available in a
be voluntary and each entity should be government sandbox so that it may be leveraged by
responsible for the data that it owns. companies to create innovative use cases.

44 MTNL Yes The proposed model will better safeguard N/A

data, boost legitimate business
opportunities without compromising on
the privacy of individuals and enhance
transparency.

45 Reliance No Many niche companies that provide Licensees / registered data collection entities should be
Communications highly advanced data anonymization allowed to create and lend anonymized data sets since
 Ltd. techniques create dummy data which can they are obligated to ensure security of the data of their
be hired and used for development of subscribers.
newer services.

46 TTL No Setting up data sandboxes may choke N/A

investments, innovation and thereby
harm consumers. It might also impact
intellectual property and trade secrets.

47 BSNL Yes Establishing data sandboxes will be a N/A

good step in the long run for both the
data controllers and customers.

48 Telenor No Businesses are in the best position to Licensed TSPs should be allowed to do data analytics
determine what data is relevant. for their consumers as this will enable better and more
The sandbox will provide new access relevant services to the consumers. Consumer
points increasing opportunities for protection should be ensured by having clear
privacy violations. regulations on the protection of this data at its source
(the data controller and its authorized data processors).

49 Vodafone No It should not be mandatory to share data The government data must be made available in a
 available to a data controller by virtue of government sandbox so that it may be leveraged by
the service provided by it. companies to create innovative use cases.

50 Federation Of Maybe N/A N/A

Consumers And
Service
Organizations

51 CUTS Yes Setting up data sandboxes is an Regulatory sandboxes should be created as it would
encouraging initiative to drive research help understand consumer protection concerns and
and innovation activities among facilitate the self-regulatory forums to design
regulated companies. appropriate disclosure and grievance redress standards.
It must be ensured that sophisticated, informed
consumers are not eligible for extra protections
available to uninformed and retail consumers.
Intervention through regulation and other means should
take place only when consumer concerns cross a
predetermined threshold.

52 Consumer’s No Creation of data sandboxes is not a N/A

Guidance Society pragmatic idea and therefore not worth
 considering.

53 Consumer Yes Data sandboxes will drive innovation, N/A

Protection promote business and help in creation of
Association smarter policies.

[This post is authored by Sushma S. Babu, a fourth year undergraduate student of HNLU, Raipur, during her interninship with TRA].