Counter Comments to the TRAI for the, "Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges"

tl;dr

IFF remains deeply committed to net neutrality and data privacy. On February 10th, 2022, IFF filed its main comments to TRAI's ongoing consultation on "Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges". However, we were troubled by some requests made by telecom service providers and industry bodies. They called for a ‘light-touch’ regulatory framework for Content Delivery Networks as well as increased data monetization, with scant attention paid to regulatory oversight over data privacy and security. IFF has filed counter comments to rebut these suggestions and urged TRAI to develop robust mechanisms to enforce net neutrality and protect data privacy.

Introduction

On December 16th, 2021, the Telecom Regulatory Authority of India (TRAI) issued a consultation paper seeking comments on the 'Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India'. In response, on February 10th, 2022, IFF submitted its comments to the paper, focusing primarily on issues of informational privacy and net neutrality. Our comments were threefold.

First, we called for urgency in creating a multi-stakeholder body (MSB) for the enforcement of net neutrality principles. While India has globally leading regulations on net neutrality on paper, it still lacks an institutional enforcement mechanism. In this regard, TRAI's recommendation in 2020 to set up an MSB was not positively received by the Department of Telecommunications (DoT) due to COVID-19 budget constraints. However, the expenditure curbs have since been relaxed and so budgetary cuts no longer stand in the way. The MSB will prevent Telecom Service Providers (TSPs) from abusing interconnection agreements, and keep technical forms of discrimination, like website blocking, slowing down of web services, etc. in check.

Second, we cautioned against regulating Content Delivery Networks (CDNs) given existing market efficiency. TRAI and other global regulators have determined that the CDN market is working adequately; it is competitive and provides user benefit. There is also a lack of existing evidence (real data) on any prospective harms, specifically in the Indian market. Hence, to facilitate the growth of the local CDN industry, TRAI should commence a deeper study prior to devising regulation.

Finally, we urged the TRAI to recast focus on telecom companies' practices for data protection standards rather than adopting flawed technical systems of consent like the draft Data Empowerment and Protection Architecture (DEPA). Our primary submission was that DEPA lacks any legal backing and thus doesn't provide any remedies. In November 2020, IFF had submitted its comments on the draft DEPA framework. We had highlighted four issues the draft policy must address: how to ensure truly informed consent is taken, orienting the use of new technology towards the interests of citizens, implementing a firm and robust regulatory mechanism, and expanding the role of the civil society. Hence, till a comprehensive data protection law is enacted and the DEPA framework improved, TRAI should begin querying information in the telecom sector to understand the existing privacy policies of the TSPs as they are vague and poorly support the subscribers. Moreover, the Minister of State for Communications Devunsinh Chauhan in the Rajya Sabha also confirmed that the DoT has not reviewed the privacy policy of TSPs in India, and that the department has not imposed any fines on TSPs for violation of the Information Technology Act, 2000 and the Information Technology Rules, 2011.

What Industry Bodies Have Said

“Presently there is adequate regulatory oversight to ensure data privacy and data security of customer data as well as customer communication for the licensed service 16 providers.”
Cellular Operators Association of India, Para 8, Page 15

The comments made by industries bodies and service providers like Cellular Operators Association of India (COAI), Broadband India Forum (BIF), Reliance Jio, Bharti Airtel, Vodafone Idea, etc. seem to be driven by a view to making profits by treating data as the next oil, giving scant attention to the privacy and security rights of the users. While we agree with their statement on India’s data protection law, we are not satisfied with their recommendations on regulating CDNs and data monetization.

Where we agree: We commend Reliance Jio and COAI’s acknowledgment of India lacking data protection regulations for different sectors to maintain the security of personal data.

Where we disagree: We strongly disagree with the submissions made on three themes, CDN regulation, data monetisation and DEPA. First, we caution against the recommendation put forth by industry bodies calling for ‘light-touch’ regulation of the CDN industry. The TRAI should instead mine further data from TSPs to check for anti-competitive practices in the CDN market, especially when the telecom market displays oligopolistic tendencies with three players, namely Reliance Jio, Bharti Airtel and Vodafone Idea, dominating the market.

Second, in terms of data monetisation, COAI believes "there is adequate regulatory oversight to ensure data privacy and data security of customer data". While Reliance Jio and Bharti Airtel have recommended ways, the government can boost the data digitisation drive. We reiterate our strong concern about any government policy that promotes "data monetisation" based on public data, especially in the absence of a data protection law. Such an approach will encourage state authorities to collect data beyond the specified purpose, leading to data maximisation. This will conflict with our fundamental right to privacy and the principle of data minimisation as recognised by the Supreme Court of India in the Justice KS Puttaswamy v. Union of India.

Thirdly, COAI and Bharti Airtel also demand that "businesses should get explicit recognition that anonymous data is not personal data and that pseudonymisation can provide genuine safeguards without the need for consent". However, this demand will fail to pass the test of data privacy as several studies have shown that de-anonymisation of data can easily be conducted.

Lastly, TRAI requested comments on the feasibility of implementing a DEPA-based consent framework amongst TSPs to share KYC data between TSPs based on subscribers' consent.

“The liability of maintaining the security of shared data lies with the Consent Manager, as it is the entity obtaining user consent for sharing of his/her data"
Reliance Jio, Answer 47 & 48, Para 6

Here, we wish to restate that the TRAI should focus on TSPs and improve the privacy & data protection standards applicable to them in the interim until a comprehensive data protection law is enacted. TRAI should ensure that all TSPs publish their privacy policies and be obligated to report data breaches, failing which a penalty should be imposed.

Our Recommendations

While we commend TRAI's intent towards improving India's digital infrastructure, we believe this should be done keeping citizens' digital rights in mind. Below are the brief recommendations we made to safeguard net neutrality and maintain data privacy:

• No ‘light-touch’ regulation of CDNs- TRAI should not give in to the suggestion calling for a ‘light-touch’ regulation of the CDN market.  Instead, as recommended by the TRAI earlier, a multi-stakeholder enforcement body should be created to provide a more informed, evidence-based policy determination on the issue. The regulatory authority should also seek more information from TSPs on their private agreements with CDN providers. This can be done by developing a reporting mechanism mandating disclosures of privately negotiated interconnection agreements and paid peering/transit arrangements.
• Stay away from DEPA- TRAI should refrain from drafting a policy premised on DEPA, and should rather improve data protection standards applicable to TSPs.
• Caution against data monetization- Any government policy that promotes data monetization should be a matter of concern. We stand strongly against it as such an exercise will prompt a revenue incentive for state authorities to collect more data than necessary for specified purposes, thereby leading to data maximisation.

Important Documents

1. IFF's counter comments to TRAI’s "Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges" dated February 24th, 2022 (link)
2. IFF’s comments to TRAI’s "Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges" dated February 14th, 2022 (link)
3. TRAI’s "Consultation Paper on Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges" dated December 16th, 2021 (link)
4. IFF’s comments on TRAI’s Consultation Paper on Traffic Management Practises (TMPs) and Multistakeholder Body for Net Neutrality dated 13th February, 2020 (link)
5. Read more on Net Neutrality here

Note: This post was drafted by Shivangani Misra, a Capstone Fellow hosted at IFF, and reviewed by IFF staffer Anushka Jain.