In response to the recent TRAI Consultation Paper on “Privacy, Security, and Ownership of the Data in the Telecom Sector”, Reliance Jio and Airtel have submitted comments in which they have strongly pushed for data localization and OTT regulation. The Jio submission even cites the regressive examples of China and Russia to build the case for data localization.
This submission exposes the possibility that Jio is building the narrative that national OTTs should be preferred over foreign OTTs in order to create a barrier for existing OTTs and build preferential regulatory treatment for its own OTT services. In its submission, Jio has played up national security concerns with e2ee while building the need for data localization due to lack of enforcement capability in foreign jurisdictions. When this is read with Jio’s public reflections that it sees its own future business growth in the OTT/app pie, it reveals a strategic alignment of Jio’s business and policy arms.
Only sometime back the president of global strategy at Jio had reflected that “I don’t believe that competition is with Bharti, Idea, Vodafone and Reliance Jio but the competition we have as a service providers fraternity, is with the emerging OTT players which are very fast and efficient from a product innovation standpoint”. Jio is already offering a number of app-based services, including JioPlay, Jio Beats, Jio VoD, and Jio Security among others to its customers in India.
The following excerpts from the Reliance Jio submission are examples of the restrictive narrative being pushed by telecom operators:
“Cross border transfer of data is a critical issue prompting many international legislations to protect sovereign interests. Russia and China have already implemented laws on local hosting of the data and the same is on the anvil in Europe. In fact China has proposed an additional draft law requiring any foreign owned entity to certify that any data taken out of China’s borders will not impact national security or interests. We submit that it is imperative that cross border transfer of sensitive data be prohibited by promoting localized hosting of personal data in India as is being done in the case of Aadhaar data. We reiterate the risk of all the regulations being rendered futile if operators are able to transfer data outside the country as then the local authorities / regulators will have little jurisdiction. There are several operators today who do not even have a presence in India and yet are able to transfer data outside the country. The only way to protect the interests of consumers and national security will be through firm laws on local hosting of data as has been done in several countries already.”
(General Comments)
“It is imperative that cross border transfer of sensitive data be prohibited by promoting localized hosting of personal data in India as is being done in the case of Aadhaar data. We reiterate the risk of all the regulations being rendered futile if operators are able to transfer data outside the country as then the local authorities/regulators will have little jurisdiction. There are several operators today who do not even have a presence in India and yet are able to transfer data outside the country. The only way to protect the interests of consumers and national security will be through firm laws on local hosting of data as has been done in several countries already.”
(Page 3)
“In the interest of National Security and Customer Data Privacy, the guidelines for data protection should also provide for data localization for sensitive data i.e. the collected data should be processed and stored in servers located in India only. This would give a sense of protection and assurance to the consumers that their personal data is safe and secure; and that the consumers would have access to judicial remedies in case the same is misused. This practice would also strengthen the regulators by helping them to keep a close watch on the activities of the different players involved in the ecosystem.”
(Pages 10-11)
“In the interest of national security and consumer privacy, Data Localization should be one of the most important aspects of the framework. Different players in the ecosystem collect, process and store data in servers outside the geographical boundaries of India. This results in undue judicial delays even in case of regular enquiries leading to a situation which results in dilution of powers of the law enforcement agencies. Also, with the increase in applications providing encrypted message delivery, the law enforcement agencies are at a loss. Thus, the guidelines should consider the framework wherein data is collected, stored and processed in India so that the security of the ecosystem can be strengthened. This would also lead to a sense of assurance for the consumers as it would give them access to judicial remedies in case the situation demands, unlike in the current scenario.”
(Page 12)
“We submit that there are two types of communication service providers. First group is the licensed TSPs and the second group consists of unlicensed OTT players. While the TSPs are required to obtain a license and abide by all the license conditions, the OTT players can start their operations even remotely with no oversight of the regulatory agencies. The TSPs are required to comply with comprehensive license terms and conditions and with the Authority’s regulations/ orders/ directions including those on data privacy and security.
Most of the OTT service providers, be it browser based or application based, providing communication services within India, have their servers outside the country, which leaves Indian security agencies powerless to exercise their rights in case of security compliances. Such practice of having servers outside the country also endangers privacy of the Indian Citizens’ personal and/or sensitive data since service provider operating in a particular country is bound by its legal system. The laws of that country may force such service provider to permit the legal officials of that country to access the data and any encryption keys that are stored within the nation’s geographical boundaries. Even if the service providers and/or security agencies try to capture the information flowing in the network, they can get only the raw data, as most of the OTT players use special encryption and it is extremely difficult for the Government and service provides to obtain decryption keys. Previously, the Authority has cited the protracted negotiation between security agencies and a specific device company. Therefore, some sort of regulatory framework needs to be evolved so that National Security and consumers’ security, safety and privacy issues are addressed along with ensuring the independence and ease of being a developer of the OTT applications and services.We submit that the Authority may consider evolving a suitable regulatory oversight for the OTT communication service providers for the rules pertaining to data privacy and data security. The prevailing situation results not only in uneven business conditions, but also allows unscrupulous elements in their anti-national and un-lawful activities by aiding them directly or indirectly through their communication services. Thus, the guidelines for data protection should address this anomaly and should put in place rules on data privacy and data security for all types of service providers be it licensed or unlicensed entity.”
(Question 10)