An Overview of Consumer Privacy Regulations for TSPs in India

An Overview of Consumer

Privacy Regulations for

TSPs in India

An Overview of Consumer Privacy Regulations for TSPs in India 1

Preface

The project is an effort to inform the readers about the privacy regulations currently

enforced on telecommunication companies for protecting privacy of customer data

and ensuring higher quality of service to its customers. The report begins with the

introduction of BSNL and telecom sector in India, in general.

The modern communication system in India started with the laying down of telegraph

network during British rule. Various telegraph statutes were enacted by the

government in order to ensure telegraph network‟s exclusivity and government

control over electronic communication at the same time. It was these regulations that

laid the foundation of present day regulatory framework governing electronic

communication, let it be wired or wireless. In the last decade, we all went through the

ups and downs related to mobile technology. We are witnessing huge growth rates in

mobile communication systems, increasing mobility awareness in society and

worldwide deregulation of formerly monopolized markets. Today telecommunication

service has transformed from a luxury available to select few to a necessity of

common man‟s daily life. Due to its exponential growth in the past few years,

telecommunication field raises new set of questions which can only be answered by

adopting newer techniques and outlook.

In the face of fierce competition, it is very essential to not only exist but also excel in

the market. Given the dynamic and complex nature of market with consumers

becoming more aware of the trends, maintaining a certain level of quality of service

has become essential. Maintaining customer privacy is one of the fields that have

recently caught the eye of public as well as companies in India. Though the current

implementations regarding the matter are in nascent stage, but there is much more

to be done in the not so distant future. This project conveys an insight about the

current laws that try to uphold the consumers‟ privacy and try to bring to justice the

breaches on company‟s part. The project also highlights few foreign regulations to

learn from and in general, suggests few solutions for betterment of situation.


Introduction

The word “telecommunication” is a compound of the Greek prefix “tele” meaning 'far

off', and the Latin “communicare”, meaning 'to share'. In its current usage, it refers to

transmission of signals over a distance for the purpose of communication. The

telecommunications industry has impact on every aspect of our lives, from the simple

reality of enabling telephonic communication between people in different locations,

whether separated by blocks or by continents, to enabling supply-chains towork

seamlessly across continents to create products and fulfil consumer demands.

Telecommunication services, for long as of now, have been recognized as a key to

the rapid growth and modernization of the economy and an important tool for socio-

economic development for a nation.

Telecommunications in India can be traced back to the 19thcentury when the British

East India Company introduced telegraph services in India. The past two decades

can be considered as the golden period for the telecommunications industry in India

exhibiting exponential growth and development in terms of technology, penetration,

as well as policy. The growth and development led to the liberalization and huge

investment by both domestic and foreign players in this sector. Data services have

become one of growth driver for the industry with increasing internet penetration and

broadband adoption. At the same time, m-Commerce is been considered a great

opportunity to expand business beyond just voice & data services.

Telecom industry has evolved significantly over the last ten years and during this

period there have been increased requirements to have robust information security

environment. Also, with the increasing demand of having stringent legal and

regulatory information security requirement, there is an enhanced focus on the

subject across telecom operators. Consumers are facing unprecedented attacks on

privacy. With data brokers gaining unauthorized access to personal information,

threats to the privacy of personal information are on the rise.

Today‟s consumers are afforded unprecedented ease of communication and access

to information, thanks to recent technological advances. However these

advancements have done more than concentrate information channels and create


new options for consumers. Modern information gathering has also exposed

individuals to the threat of privacy invasion. Never before, has personal data been so

easily compiled and transmitted. The very act of aggregating records creates new

opportunities for companies and data brokers to take advantage of inadequate legal

restraints on sharing and profit off of the private information. This leaves consumer

open to the menaces of data mining, intrusive advertising, and identity theft.

Telephone companies must be held accountable for neglecting their duty to

safeguard consumers‟ sensitive information.


1. Company Profile

Bharat Sanchar Nigam Ltd. was incorporated on 15th September 2000. It took over

the business of providing of telecom services and network management from the

erstwhile Central Government Departments of Telecom Services (DTS) and Telecom

Operations (DTO), with effect from 1st October 2000 on going concern basis. It is

one of the largest & leading public sector units providing comprehensive range of

telecom services in India.

BSNL has installed Quality Telecom Network in the country & now focusing on

improving it, expanding the network, introducing new telecom services with ICT

applications in villages & winning customer's confidence. Today, it has about 43.74

million line basic telephone capacity, 8.83 million WLL capacity, 72.60 million GSM

capacity, 37,885 fixed exchanges, 68,162 GSM BTSs, 12,071 CDMA Towers, 197

Satellite Stations, 6,86,644 Km. of OFC, 50,430 Km. of microwave network

connecting 623 districts, 7330 cities/towns & 5.8 lakhs villages .

BSNL is the only service provider, making focused efforts & planned initiatives to

bridge the rural-urban digital divide in ICT sector. In fact there is no telecom operator

in the country to beat its reach with its wide network giving services in every nook &

corner of the country & operates across India except New Delhi & Mumbai. Whether

it is inaccessible areas of Siachen glacier or North-Eastern regions of the country,

BSNL serves its customers with a wide bouquet of telecom services namely

Wireline, CDMA mobile, GSM mobile, Internet, Broadband, Carrier service, MPLS-

VPN, VSAT, VoIP, IN Services, FTTH, etc.

BSNL is numerouno of India in all services in its license area. The company offers

wide ranging & most transparent tariff schemes designed to suit every customer.

BSNL has 90.09 million cellular & 5.06 million WLL customers as on 31.07.2011. 3G

Facility has been given to all 2G connections of BSNL. In basic services, BSNL is

miles ahead of its rivals, with 24.58 million wireline phone subscribers i.e. 71.93%

share of the wireline subscriber base.

BSNL has set up a world class multi-gigabit, multi-protocol convergent IP

infrastructure that provides convergent services like voice, data & video through the


same Backbone & Broadband Access Network. At present there are 8.09 million

broadband customers.

The company has vast experience in planning, installation, network integration &

maintenance of switching & transmission networks & also has a world class ISO

9000 certified Telecom Training Institute.

During the 2010-11, turnover of BSNL was around INR 29,700 crores.

1.1. VISION:

Be the leading telecom service provider in India with global presence.

Create a customer focused organization with excellence in customer

care, sales and marketing.

Leverage technology to provide affordable and innovative telecom.

Services/products across customer segments.

1.2. MISSION:

Be the leading telecom service provider in India with global presence.

Creating a customer focused organization with excellence in customer

care, sales& marketing.

Leveraging technology to provide affordable and innovative

products/services across customer segments.

Providing a conducive work environment with strong focus on

performance

Establishing efficient business processes enabled by IT.

1.3. OBJECTIVES:

To be the Leading Telecom Services provider by achieving higher rate

of growth so as to become a profitable enterprise.

To provide quality and reliable fixed telecom service to our customer

and thereby increase customers confidence.


To provide customer friendly mobile telephone service of high quality

and play a leading role as GSM operator in its area of operation.

To develop strategy for rightsizing the manpower and providing greater

customer satisfaction

To leverage the existing infrastructure of BSNL for facilitating

implementation of other government programmes and initiatives

particularly in the rural areas.


2. Indian Telecom Sector

Like elsewhere, telecommunication in India started as a state monopoly. In the

1980s, telephone services and postal services came under the Department of Posts

and Telegraphs. In 1985, the government separated the Department of Post and

created the Department of Telecommunications (DoT). As part of early reforms, the

government set up two new public sector undertakings: Mahanagar Telephone

Nigam Limited (MTNL) and Videsh Sanchar Nigam Limited (VSNL). MTNL looked

after telecommunications operations in two megacities, Delhi and Mumbai. VSNL

provided international telecom services in India. DoT continued to provide

telecommunications operations in all regions other than Delhi and Mumbai.

In the early 1990s the Indian telecom sector, which was owned and controlled by the

Indian government, was liberalized and private sector participation was permitted

through a gradual process. First, telecom equipment manufacturing sector was

completely deregulated. The government then allowed private players to provide

value added services (VAS) such as paging services. In 1994, the government

unveiled the National Telecom Policy 1994 (NTP 1994). NTP 1994 recognized that

existing government resources would not be sufficient to achieve telecom growth

and hence private investment should be allowed to bridge the resource gap

especially in areas such as basic services. As markets and telecom technologies

started converging and the differences between voice (both fixed and wireless) and

data networks started blurring, the need for developing the modern telecom network

became an immediate necessity. Accordingly, private sector participation was

allowed in basic services.

The government at that time realized that a major part of the growth of the country‟s

GDP would be reliant on direct and indirect contributions of the telecom sector in the

future and accordingly the need for a comprehensive and forward looking

telecommunications policy was felt. This then paved way for New telecom Policy

1999(NTP 1999) which largely focused on creating an environment for attracting

continuous private investment in the telecom sector and allowed creation of

communication infrastructure by leveraging on technological development. The main

objectives and targets of NTP 1999 were as follows:


Availability of affordable and effective communications for citizens;

Strive to provide a balance between the efforts of universal service to all

uncovered areas, including the rural areas and the provision of high-level

services capable of meeting the needs of the country‟s economy;

Create a modern and efficient telecommunications infrastructure taking into

account the convergence of IT, media, telecom and consumer;

Protect the defence and security interests of the country.

NTP 1999 allowed private operators providing cellular and basic services to migrate

from a fixed license fee era to a revenue sharing era which made it financially

possible for such operators to function in the market. Most importantly, the

government recognized the necessity to separate the government's policy wing from

its operations wing so as to create a level playing field for private operators.

Accordingly the NTP 1999 directed the separation of the policy and licensing

functions of DoT from the service provision functions. The Government corporatized

the operations wing of DoT in October 2000 and named it as Bharat Sanchar Nigam

Limited (BSNL) which now operates as a public sector undertaking. In the year 2002,

the monopoly of VSNL also came to an end.

The process of liberalization in the country started in 1991 with the declaration of

New Economic Policy. Telecom equipment manufacturing was de-licensed in 1991

which and value added services were opened to private sectors in 1992. After 1991

liberalization in Government policies, various private players were allowed to enter

the telecom market. Indian telecom today benefits from some of the loosest

regulations in the world, sometimes considered the “poster boy for economic

reforms” has been the top beneficiaries of the post 1991 liberalization era. The

Indian telecom sector with over 950 million customers is the second largest in the

world. The sector showed the growth rate of over 40% in recent years, making it the

fastest growing sector in India and around the world. The rapid growth in India was

possible due to proactive and positive decisions of the government and positive

lookout and support from both public and private sectors.

According to COAI data, the telecom customer base stood at over 951 million in

March 2012. Indian telecom sector has shown an exponential growth throughout as


a result of greater emphasis by the government. The Indian Telecom market is the

most competitive with over 11 operators in each circle, the largest number around

the world. The “big fish” of telecom industry are BSNL (state owned), Airtel,

Reliance, Vodafone, Idea and Tata. Only the two networks, Reliance and Tata offer

CDMA technology while all others are in the GSM band. GSM has an 88% share of

subscribers and continuously rising and now even Reliance and Tata are offering

nation-wide GSM services. Tele-density has reached to the higher levels of 78.66%

as of March 2012 and is expected to cross 84% by the end of 2012. The industry is

expected to reach a size of INR344,921crore by 2012 at a growth rate of over 26%,

and generate employment opportunities for about 10 million people during the same

period. Analytical forecast boast that the sector would create direct employment for

more than 2.5 million people directly and for near about6 million people indirectly.

The total revenue of the Indian telecom sector grew by 7% to INR283,207 crore for

2010–11 financial year, while revenues from telecom equipment segment stood at

INR117,039 crore. The figures below provide a gist of swiftly growing Indian telecom

sector.

Figure 2.1

3.1 5.4 10.5 28.2 47.6 75.4 146.4

228.9

341.3

519.2

746.6

890

0

100

200

300

400

500

600

700

800

900

1000

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Subscribers Growth Chart

Subscriber Base (mn)


Figure 2.2

19.72%

16.65%

16.37% 12.26%

10.72%

8.89%

6.81%

4.62%

1.72% 0.65% 0.63% 0.37%

0.36% 0.14% 0.09%

Company wise % market share

Airtel

Reliance

Vodafone

Idea

BSNL

Tata

Aircel

Uninor

Sistema

Videocon

MTNL

Loop

Stel

HFCL

Etisalat


2.1. Indian Telecom Authorities:

Figure 2.1.1

2.1.1. Telecom Commission: The Telecom Commission was set up by the

Government of India on 11th April, 1989 with administrative and financial powers of

the Government to deal with various aspects of Telecommunications in the country.

The responsibilities of Telecom Commission along with DoT include policy

formulation, licensing, wireless spectrum management, administrative monitoring of

PSUs, research and development and validation of equipment etc. The multi-faceted

strategies followed by the Telecom Commission not only transformed the very

structure of the sector but also motivated all the public/private players to contribute in

accelerating the growth of the sector.

2.1.2. Department of Telecom: The DoT acts on behalf of the Central Government.

Some of the important functions of the DoT are as follows:

Policy, Licensing and Coordination matters relating to telegraphs, telephones,

wireless, data, facsimile and telematics services and other similar forms of

communications.

International cooperation in matters connected with telecommunications

industry including matters relating to all international standardization bodies

Ministry of Communications and Information Technology

Telecom Commission

DoT TRAI WPC TEC


dealing with telecommunications such as ITU, RRB, ITU-R, ITU-T, ITU-D,

INTELSAT, INMARSAT, APT, etc.

Promotion of standardization, research and development in

telecommunications.

Promote the investment from private players in telecommunications industry.

Financial assistance for continuation and promotion of research and study in

telecommunications technology and for developing adequately trained

manpower for telecom programme.

Purchase and acquisition of land relating to telecommunications work.

2.1.3. Telecom Regulatory Authority of India: The Telecom Regulatory Authority

of India (TRAI) was established with effect from 20th February 1997 by an Act of

Parliament, called the Telecom Regulatory Authority of India Act, 1997, to regulate

telecom services, including fixation/revision of tariffs for telecom services which were

earlier vested in the Central Government.

TRAI's mission is to create, develop and maintain conditions for growth of

telecommunications in the country in a manner and at a pace which will enable India

to achieve a leading position in emerging global information society. One of the main

objectives of TRAI is to create a level playing field and facilitate fair competition by

providing a fair and transparent policy environment. In order to achieve above

objective TRAI has issued, in timely manner, a large number of regulations, orders

and directives to deal with issues developing with time and provided the required

direction for the evolution of Indian telecommunication market from a Government

owned monopoly into a multi-operator, multi-service open competitive market. The

directions, orders and regulations issued cover a wide range of subjects including

tariff, interconnection and quality of service including others.

2.1.4. Wireless Planning and Coordination: The WIRELESS PLANNING &

COORDINATION (WPC) Wing of the Ministry of Communications was created in

1952 as the National Radio Regulatory Authority responsible for Frequency

Spectrum Management, including licensing and looks after the needs of all wireless

users (Government and Private) in the country. It exercises the statutory functions of

the Central Government and issues licenses to establish, maintain and operate


wireless stations. WPC has been divided into major sections such as Licensing and

Regulation (LR), New Technology Group (NTG) and Standing Advisory Committee

on Radio Frequency Allocation (SACFA). SACFA makes the recommendations on

major frequency allocation issues, formulation of the frequency allocation plan,

delivering expertise on the various matters related to International Telecom Union

(ITU), to help solve problems referred to the committee by various wireless users or

industry, providing clearance of all wireless installations in the country etc.

2.1.5. Telecommunication Engineering Centre: A technical body representing the

interest of Department of Telecom, Government of India.

Specifies the common standards regarding the telecom network equipment,

services and interoperability.

Generic Requirements (GRs), Interface Requirements (IRs).

Issuing Interface Approvals (IA), Certificate of Approvals (CA), Service

Approvals (SA) and Type Approvals (TA).

Formulation of standards and fundamental technical plans.

Interact with international agencies like APT, ETSI and ITU etc. for

standardization.

Develop expertise to obtain the latest technologies and results of R&D.

Provide technical support to DOT and technical advice to TRAI & TDSAT.

Coordinate with C-DOT over the issues relating to technological

developments in the telecom sector for policy planning by DOT.


3. Problem Definition

There are enough concerns already in relation to the protection of personal data

information, under the influence of the right to one‟s privacy. The right to privacy

refers to the right of an individual to control the collection, use and disclosure of

personal information. Personal information can be in the form of personal interests,

activities, family details, educational details, telephone records, medical records and

financial details, to name a few. Further, the advancements in technology have

spawned entirely new set of issues concerning privacy rights and data protection.

Privacy is a complex concept even before other concepts are lumped with it. The

concept of “privacy” needs to be carefully overviewed. It defies easy definition and

many proposals to protect privacy have gone forward without a clear understanding

of what privacy really is. Importantly, privacy is a personal and utterly subjective

condition.

One of the major flaws with the current telecom policy of India is the lack of adequate

privacy laws guiding them. For instance, until recently we did not had any proper

control over telemarketing calls. Telemarketing companies targeted Indian

consumers with all sorts of calls and schemes day and night. The Department of

Telecommunication (DoT) and Telecom Regulatory Authority of India (TRAI) think

that they have done their part by establishing the National Do Not Call (NDNC)

register, but in reality this is not enough. Consumer complaints have reduced to

certain levels but the numbers are still in thousands annually and many do not

complain due to the fear of wastage of time and money or the lack of knowledge to

do so. Clearly, the telemarketing lobby is toying with the telecom policies ingeniously

enough to keep them out of the hands of law and amount of fines.

Further, there is no effective mechanism through which telecom disputes of

consumers can be effectively handled in India. The establishment of TDSAT has not

been a success due to the lack of widespread publicity among the masses. Also the

consumer protection law of India needs to be fine-tuned, keeping in mind the

telecom disputes. Another concern with India is the absence of effective privacy law

and data protection laws. Essential and private details of telecom consumers were

openly available for sale in the markets in recent past. Telemarketing companies


purchased this information and used the same without any fear of punishment as

there were no deterrent rules or regulations in this regard. People recently involved

themselves in the unconstitutional “Aadhar” project of India all around the country.

Under the project, biometric details of every Indian resident would be collected

regardless of the fact that there is no legal framework supporting such collection. On

combining it with the growing e-surveillance in India, lack of data protection and

privacy laws and unregulated telecom sector, it is not difficult to realize that others

know more about you than yourself.

With controversial activities like illegal phone tapping, imposition of Aadhar project,

launch of projects like National Intelligence Grid (Natgrid) and Crime and Criminal

Tracking Network and Systems (CCTNS), without any procedural safeguards, the

need of enactment of a dedicated and constitutionally sound privacy law has become

absolutely essential. While e-surveillance and electronic eavesdropping are

important for law enforcement and national security purposes, there is no justification

for deliberately keeping away from enacting suitable procedural safeguards against

their abuses towards the individuals. The Indian government in general and cabinet

committee on security (CCS) in particular must show seriousness about respecting

the constitution of India, and must operate all these projects within the constitutional

limits. For instance, we do not have a constitutionally valid phone tapping law in India

and India is probably the only democratic country in the world that engages in phone

tapping without a court warrant. Indian executive have misused constitutional powers

of Judiciary and Parliament of India in great disregard of the Constitutional

provisions.

It is high time for the Parliament of India to enact strong cyber laws, effective privacy

laws and adequate data protection laws. Misusing the Judicial and Parliamentary

powers and making piece meal efforts would not solve the problem. In a similar

fashion, the projects like CCTNS, Natgrid, central monitoring system (CMS), etc.

must also be undertaken only after proper and effective constitutional safeguards are

at place.


4. Overview

The telecom industry has enjoyed a spectacular success at absorbing Indians into its

fold resulting into the subscriber base that stands just over 951 million (TRAI, March

2012) with Tele-density standing at proud 78%. While this extensive penetration of

telecommunication has ignited an era of unprecedented access – truly a

„communications revolution‟ whose full effects may still be too early to grasp – it has

also led to the exposure of individuals to risks on a magnitude never before

witnessed. Firstly, during the normal course of their business, telecom companies

heap up vast volumes of personal data about their customers including copies of

identity documents, biographical information etc., which could potentially be

misused; Secondly, the fact that a vast amount of our communication now occurs

with the involvement of electronic media, has rendered us more susceptible to

invasive electronic surveillance - whether lawful or not; Thirdly, much of the

communications is now not merely ephemeral, but is stored in digital form for

unknown periods in corporate „data centres‟; Lastly, owning a mobile phone not only

enables us to communicate with our business partners and loved ones, but also

forces us to engage with a continual stream of „noise‟ – telemarketing calls and

SMSs, prank/hoax calls, calls troubling us for the payment of bills and

offensive/threatening calls.

4.1. Issues with Privacy:

4.1.1. Contracts: It all begins with the signing of the piece of paper that forms

the basis for the parties to be able to form valid and legally binding

contract. Basic question relates to how the contracts can be formed,

performed and enforced for mutual benefit. Formation of any contract,

under the Contract Act, involves three main components. There has to be

an offer, there has to be an acceptance of the said offer without

modification and there has to be some consideration for the contract.

These components would be applicable to contracts with TSPs as well.

Regarding this, how do we know whether the offered has ACCEPTED the

offer? Additionally, the issue of the exact time of communication of

acceptance of the contract is important; as such a time is critical for


determination of the rights of the parties. Further, various issues arise

where a person could be bounded by the terms of a contract without even

reading it or without being able to negotiate the terms. There are situations

where a subscriber signs the contract without even looking at the contract

or its terms and conditions. Would this amount to a contract with the

customer? Also, consumer related transactions often occur between

parties who have no pre-existing relationship, which may raise concerns of

the person‟s identity with respect to issues of the person‟s capacity,

authority and legitimacy to enter the contract.

The aforesaid points regarding the acceptance, timing and not reading the

terms creates a loophole in an effort to protect the consumer privacy. It

may be possible that the contract was signed due to some greedy offer

made by the offerer or maybe he was convinced beyond reason. The huge

list of terms and conditions discourages the consumer to search for the

privacy clause and thus leave himself vulnerable at the hands of the

company. The timing becomes essential when there is a change in the

policies and terms since the new consumers will have to follow the new

terms which may change the methods of handling private data.

4.1.2. Security: Security is of immense importance to ensure the good health of

telecom sector since almost all the work requires computer with internet

access. Companies that keep sensitive information on their servers must

ensure that they have adequate security measures to safeguard their

servers from any unauthorised intrusion. A company could face security

threats externally as well as internally. Externally, the company could face

problems from hackers, viruses and Trojan horses. Internally, the

company must ensure security against its technical staff and employees.

Security can be maintained by using various security tools such as

encryption, firewalls, access codes/passwords, virus scans and biometrics.

For example, a company can restrict access to the contents on its website

or servers only through the use of a password or login code. Similarly

confidential information on websites or servers can be safeguarded using

firewalls that would prevent any form of external intrusion. Apart from


adequate security measures, appropriate legal documentation is also

needed. For example, a company can have an adequate security policy

that would bind the all people working in and with the company.

With the advancements in Internet, security breaches have become a daily

scenario. TSPs need to protect their websites and servers for loss of

private data since a company can also be held liable for inadequate

security procedures on its servers. Notwithstanding the standard

procedures can result in the loss of consumer privacy even though the

company did not intend to do so and then indulge in legal proceedings and

waste company‟s resources.

4.1.3. Telemarketing: Consumerism has grown tremendously all around the

world. In response, telemarketing provides a huge customer base by

making every individual a prospective customer for sales, it creates a flat

ground of customers irrespective of their interest, location, time,

profession, etc. Telemarketing is a method of direct marketing in which a

salesperson engages himself to entreat a prospective customer to buy

products or services, mostly over the phone or if possible through the

Internet. Most telemarketing calls are "cold calls". Cold calls are those

calls where the recipient of the call did not intend that the telemarketers

contact them. Though the real purpose of telemarketing is just to make a

sale, but in doing so it violates a great deal of individual privacy. It often

happens that telemarketers have personal information when they call a

customer, this information is obtained from other vendors who sell similar

products. Telemarketing, over the time, has become one of the most

controversial types of marketing.

It would be easier otherwise, if these services value-added to individual's

lives, but when the action negatively hampers the individual or his way of

life than his objection cannot be denied and certain checks and

countermeasures are required. And this gives rise to the very

“controversial” concept of privacy. Neither the damage done by these

telemarketing calls to privacy can be measured, nor can it be undone. And


most commercial organisations have little or no interest in taking costly

measures, which are often unprofitable, to protect the privacy of

customers, indeed, their objective is quite the opposite, to share the data

and gain monetary advantage, and not recognise it as sensitive, so that it

is easier to avoid legal liability for lapses of security that may occur in the

future. Such behaviour makes telemarketing an unfair trade practice.

The policy decisions of TRAI pertaining to regulation of telemarketing calls

have not been successful. The deterring procedure for telemarketing

companies has been made too complicated and unproductive that it does

not benefit consumers at all. Further, even if a fine has been imposed, the

troubled consumer would not get the same. There is no incentive for taking

all the pain to get the guilty telemarketer held responsible. The

telemarketing guidelines are inherently faulty and are still violating privacy

rights of Indians without any fear or deterrent. It's high time, that instead of

blindly manipulating the policy makers, corporates should refer to global

telemarketing standards and transform business ethics into action.

4.2. Indian legal scenario regarding Privacy:

4.2.1. Constitution of India: Although not specifically referenced in the

Constitution, the Right to Privacy is considered a „penumbral right‟ under

the Constitution i.e. a right that has been declared by the Supreme Court

as integral to the Fundamental Right to Life and Liberty. In addition,

although no single statute confers a cross-cutting „horizontal‟ right to

privacy, various statutes contain provisions which either implicitly or

explicitly preserve this right. The idea behind this development is simply

that the penumbral right would be of no meaning without provisioning for

certain other rights by implication. An example may serve to show the

point: while freedom of the Press has nowhere been expressly provided

for in the Constitution, it continues to have a very definite presence by

virtue of the fact that it constitutes an integral part of Article 19(1)(a) which

guarantees the Right to Freedom of Speech and Expression in India. It is

in this context that the requirement of a right to privacy arises.


Judgements:

Kharak Singh vs. State of U.P.: In the landmark judgement the

Supreme Court held that Article 21 of the Constitution includes

„Right to Privacy‟ as a part of the right to „Protection of Life and

Personal Liberty‟.

R. Rajagopal vs. State of Tamil Nadu: The Supreme Court stated

that though the right to privacy was not enumerated as a

fundamental right, a citizen has a right to safeguard the privacy of

his own, his family, marriage, procreation, motherhood, child

bearing and education among other matters.

People’s Union for Civil Liberties (PUCL) vs. Union of India: The

Supreme Court held that the telephone tapping by Government

under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article

21 of the Constitution of India, unless it was required in the rarest of

rare circumstances such as public emergency.

While it may appear that the right to privacy is protected, to some extent,

as a fundamental right, it is much needed to keep in mind that barring a

few exceptions, fundamental rights secured to the individuals are

limitations only against State actions. Thus, such an interpretation will not

protect an individual against the false actions of private parties.

4.2.2. Indian Telegraph Act, 1885 and Rules: The Indian Telegraph Act, 1885

was enacted with the main object being "to give power to the Government

and to any company or person licensed under section 4 of the Indian

Telegraph Act, 1876, and specially empowered in this behalf, to place

telegraph lines under or over property belonging whether to private

persons or to public bodies." The preamble of the ITA, 1885 states that its

main objective is to amend the laws relating to telegraphs in India. The law

being used by the police and intelligence agencies for tapping telephone

lines is the Section 5 of Indian Telegraph Act, 1885 read with rule 419 and

419A. In1997, the Supreme Court intervened and ordered the Government

of India to frame the proper rules for tapping the electronic


communications. In the meanwhile, the technology has changed

dramatically from the yesteryear of 1885 from analogue to digital, where a

mobile phone is a computer which communicates through network of

computers to another mobile phone computer on behalf of persons

involved in communication. Thus at any point of electronic interception, the

communication is between two computer in digital format and not in analog

format over which Telegraph Act applies.

Provisions:

Section 5 (2) empowers the government to order the interceptions

of messages in cases of „public emergency‟ or „in the interest of the

public safety‟. The interception requires the written order from the

Central Government or a State Government or any officer specially

authorised in this behalf by the Central Government or a State

Government.

Section 11 empowers the telegraph authority to enter any property,

at any time, in order to repair or remove the telegraph line or post.

Section 23 imposes a fine of INR 500 on anyone brought in for

unauthorized access in telegraph office premises.

Section 24 makes it a criminal offence for a person to enter a

telegraph office “with the intent of unlawfully learning the contents of

any message”. Such a person may be punished with imprisonment

for a term of up to a year.

Section 25 further imposes a criminal penalty on anyone who

attempts to damage or tamper with any telegraph equipment with

the intent to prevent the transmission of messages or to acquaint

himself with the contents of any message or to commit mischief.

Punishment in this case could extend to three years imprisonment

or a fine or both.

Section 26 makes it an offence for a Telegraph Officer or other

official to alter, unlawfully disclose or acquaint himself with the

content of any message. This is also punishable with up to three

years imprisonment or a fine or both.


Section 30 criminalizes the fraudulent retention or wilful secreting or

detention of a message which is intended for someone else.

Punishment may extend to two years imprisonment or fine or both.

4.2.3. Information Technology (Amendment) Act, 2008: Following the UN

Resolution of adopting UNCITRAL Model Law on e-commerce, India

passed the Information Technology Act 2000 in May 2000 and it became

effective on October 17, 2000.Information Technology Act 2000 addressed

the following issues:

Giving Legal Recognition to Electronic Documents

Giving Legal Recognition to Digital Signatures

Defining Offences and Contraventions

Establishing Justice Dispensation Systems for Cybercrimes

ITAA 2008 (Information Technology Amendment Act 2008), the newer

version of Information Technology Act 2000, has provided additional focus

on Information Security. It has added many new sections related to

offences like Cyber Terrorism and Data Protection. A new set of Rules

relating to Sensitive Personal Information and Reasonable Security

Practices (contained in section 43A of the ITAA, 2008) was released in

April 2011. The amendments received mixed reviews from cyber law

observers, criticizing on the ground of lack of legal and procedural

safeguards to prevent violation of civil liberties of Indians, and appreciating

about the amendments which serve to addresses the issue of Cyber

Security.

Provisions:

Section 43A makes a body corporate liable to pay compensation if it

is negligent in implementing and maintaining reasonable security

practices and procedures with respect to the sensitive personal

data or information of any person.


Section 66C imposes a penalty on anyone who fraudulently or

dishonestly makes use of any unique identification feature of any

other person amounting to imprisonment extending three years and

fine up to INR one lakh.

Section 72A criminalizes the wrongful disclosure of personal

information of any person to any other person in breach of lawful

contract. Punishment may extend to three years imprisonment or

fine extending INR five lakh or both.

Section 84A vests the power in Central Government, for secure use

and promotion of e-governance and e-commerce, to prescribe the

modes or method for encryption.

Additionally:

Section 67C empowers Central Government to order intermediaries

to preserve and retain such information for such duration in such

manner as prescribed.

Section 69 empowers Central Government or State Government or

any officer thus assigned, for reasons to be recorded in writing, to

issue directions for interception or monitoring or decryption of any

information through any computer resource.

Section 69B empowers Central Government to authorize to monitor

and collect traffic data or information through any computer

resource for Cyber Security.

4.2.4. TRAI Guidelines and Licence Agreements: TRAI established the

Telecom Unsolicited Commercial Communications Regulations, 2007 in

an attempt to prevent Unsolicited Commercial Calls to telecom consumers.

Hereunder a National Do Not Call Register was established, which

contains information regarding consumers who do not wish to receive

UCC. The regulation also specifies the procedure for initiation of

complaints by consumers and for their adjudication and disposal. It also

imposes fines on telemarketers who initiate UCC with individuals who

have opted not to receive such communications.


Clause 18 asks every Access Provider and the person authorized to

maintain the National Do Not Call Register keep confidential all the

information disclosed by the subscriber and entered in the National

Do Not Call Register maintained under these regulations.

On 26thFebruary 2010, TRAI issued a direction to make sure that the

compliance of the terms and conditions of the licenses regarding

confidentiality of information of subscribers and privacy of communications

were carried out. TRAI Directs the Service Providers to:

To ensure confidentiality of information as provided in the license

conditions.

To put in place appropriate safeguards required to prevent the

breach of confidentiality of information of the subscriber and privacy

of communication.

To furnish to the Authority, within fifteen days of issuance of this

Direction, the details of steps taken by the service provider to

safeguard the confidentiality of information of subscribers and

privacy of communications.

The detailed guidelines regulating the behaviour of TSPs are contained in

the terms of the licences issued, which permit them to conduct business,

frequently, these licences contain clauses requiring TSPs to safeguard the

privacy of their consumers. Few examples can be cited:

Cellular Mobile Telephone Service Licence:

Clause 42.2 orders the licensee to ensure the confidentiality of

information regarding the third party, unless the third party agrees

to divulge it or it is in public domain.

Clause 42.3 requires the licensee to make sure the confidentiality of

customer information.

Clause 43.5 ensures that in case any confidential information is

divulged to the licensee for proper implementation of the


Agreement, it shall be binding on the licensee and its employees

and servants to maintain its secrecy and confidentiality.

Clause 44.4 requires the licensee to ensure protection of privacy of

communication and ensure that unauthorized interception of

messages does not take place.

National Long Distance Licence:

Clause 5.6 (xi) provides that in order to maintain the privacy of

voice and data, monitoring shall only be upon authorization by the

Union Home Secretary or Home Secretaries of the States/Union

Territories.

Clause 41 orders the licensee to ensure protection of privacy of

communication and ensure that unauthorized interception of

messages does not take place.

Unified Access Service Licence:

Clause 5.G (xi) provides that in order to maintain the privacy of

voice and data, monitoring shall only be upon authorization by the

Union Home Secretary or Home Secretaries of the States/Union

Territories.

Clause 60 orders the licensee to put in place mechanisms for

protection of privacy of communication and ensure that

unauthorized interception of messages does not take place.

Clause 70 ensures that in case any confidential information is

divulged to the licensee for proper implementation of the

Agreement, it shall be binding on the licensee and its employees

and servants to maintain its secrecy and confidentiality.


4.3. International Norms:

4.3.1. European Union: The Data Protection Directive (95/46/EC) was

established to provide a regulatory framework to ensure secure and free

movement of personal data across the borders of the EU member

countries, in addition it provides a baseline of security to personal

information wherever it is stored, transmitted or processed. The Directive

came into force in October, 1998. This general Data Protection Directive

has been complemented by other legal instruments, such as the e-Privacy

Directive (Directive on privacy and electronic communications --

2002/58/EC) for the communications sector. There are also well defined

rules for the protection of personal data in policing and judicial cooperation

in criminal matters.

Directive 2002/58/EC is a constituent of the "Telecoms Package", a new

legislative framework developed to regulate the electronic communications

industry and amend the existing controls governing the

telecommunications industry. This Directive principally focuses on the

processing of consumers‟ personal data relating to the use of

communications services.

The Directive addresses issues such as:

Processing security: The provider of a publicly available electronic

communications service must take appropriate measures to

safeguard security of its services and customer data from

unauthorized access and destruction. In case of a breach of

security the provider must inform the subscribers concerning such

risk.

Confidentiality of communications: Member States shall ensure the

confidentiality of communications over publicly available electronic

communications services, through national legislation. The

communication interception must be prohibited without the consent

of the users concerned. They have the option to withdraw their

consent on the processing of traffic data.


Data retention: Traffic data and any other data must be erased or

made anonymous when it is no longer required, unless the

customer has given his/her consent for another use. The Directive

lays down provisions for the retention of data when it is required for

the purpose of investigation, detection and prosecution of criminal

offences.

Unsolicited communications: The Directive takes an "opt-in"

approach to automated calling systems without human intervention

for the purposes of direct marketing i.e. users must have prior

consent for such communications. However, in other cases users

may have to “opt-out”.

Public directories: Subscribers must give prior consent in order for

their telephone numbers (landline or mobile), e-mail addresses and

postal addresses to appear in public directories.

4.3.2. United States: Telecommunications in the United States is regulated by

Federal Communications Commission. FCC regulates how

telecommunications carriers and providers handle customers‟ personal

information regarding activities like telemarketing and junk faxes. The main

legislation used to regulate telecommunication carriers is the

Communications Act, 1934.The Act sets rules as to how carriers may use

and disclose “Customer Proprietary Network Information” which includes

billing information, type of service used, and the types of calls customers

usually make. FCC does provide a “total service approach”, that allows

carriers to use CPNI to market to existing customers, however, customers

are provided with a notice and opportunity to opt-out of marketing.

Additionally, customers are provided access to their information and

ensure that information must be destroyed after it has served the purpose

for which it was collected.

The Electronic Communications Privacy Act (“ECPA”) was passed in 1986

to expand and revise federal wiretapping and electronic eavesdropping

provisions. The main objective was to strike a fair balance between the

privacy expectations of citizens and the legitimate needs of law


enforcement. ECPA includes the Wiretap Act, the Stored Communications

Act, and the Pen-Register Act. Individuals who violate ECPA can face up

to five years of jail time and a fine of about $250,000. Victims are also

entitled to a civil suit of actual damages, in addition to punitive damages

and attorney‟s fees. The United States itself cannot be charged for a

violation, but evidence that is gathered by illegal means cannot be

introduced in court.

ECPA prohibits interception and disclosure of Electronic communication,

however, an electronic device must be used to perform the surveillance;

mere eavesdropping with the unaided ear is not illegal under ECPA. Also

ECPA requires only single party consent; an individual can record his own

conversation without violating federal law. Pen registers and trap and trace

devices provide non-content information about the origin and destination of

particular communications. Because this information does not contain the

content of the communication, therefore, there is no reasonable exposure

of privacy in this information. In the context of phone calls, Pen-Registers

display the outgoing number and the incoming number. IP addresses and

port numbers associated with the communication are also fair game under

the Act.

In May 2011, Senator Patrick Leahy, the Godfather of ECPA in 1986,

introduced the “Electronic Communications Privacy Act Amendments Act

of 2011”, which would serve to strengthen the protections for emails,

decrease the time duration before which law enforcement agency must

notify the subject that a search has occurred, and require the agency to

obtain a warrant before seeking mobile phone location data. Leahy‟s bill

would trigger the elimination of the distinction between emails and other

forms of electronic communications, mandating the law enforcement

agency to obtain a warrant before emails are produced by service

providers.

Title 47 U.S. Code § 222 states that every telecommunications carrier has

a duty to protect the confidentiality of private information of other


telecommunication carriers, equipment manufacturers, and customers,

including telecommunication carriers reselling telecommunications

services provided by a telecommunications carrier. Other federal laws

cover some specific categories of personal information; these include

Right to Financial Privacy Act, Fair Credit Reporting Act, Video Privacy

Protection Act of 1988, Cable Privacy Protection Act of 1984, Family

Educational Rights and Privacy Act, 1974, Drivers Privacy Protection Act,

Telephone Consumer Protection Act, 1991, etc.

Other Countries: Several countries such as UK, Spain, Switzerland, Sweden,

Australia, Thailand, Singapore, among others, have enacted laws to protect data and

privacy rights.


5. Recommendations

The telecom sector in India has shown exponential growth for over a decade and

has potential for more. With increasing number of telecom operators the key to

attract new customers is to establish a brand image, which can foster reliability and

sensitivity between the company and the customers. Privacy of customer information

can act as one of the many key differentiating factors to promote loyalty among the

customers. To achieve a higher level of loyalty, telecom operators need to

understand the key objectives and methodologies to establish an effective customer

privacy program. A robust control framework implemented throughout the

organization and the third parties can assist the telecom operators in maintaining

adequate customer privacy.

Customer privacy needs to be ensured throughout the lifecycle of customer

information. This can be achieved by having a holistic framework which may include:

Identification of the right set of information that needs to be captured along

with the purpose, for the same, laid out clearly.

Identification of the right level of access to the information, based on the

classification of information and accessing personnel.

Privacy principles related to collection, processing, disclosure, etc. be an

integral part of business processes.

Enhancing the customer privacy protection across third parties by embedding

privacy norms in the service contracts.

Closely working with regulatory bodies to help better understand and

implement regulatory requirements.

Modifying business processes to make them more responsive towards

customer privacy requirements.

It is also suggested that they conduct periodic risk assessments of their

network establishment and modify their security programmes to adapt to the

ever-changing security environment.


6. Limitations

With increasing awareness of the customers regarding the delicacy of their personal

information the privacy protection has become an issue among the operators, but as

a matter of fact, the same has failed to gain momentum. Much has been written and

advocated concerning privacy issue but much lesser is in action. The efforts are

underway to secure the telecom equipment but the subject of privacy has been

neglected altogether. The reasons can be attributed to the following:

Government reluctance: With increasing sophistication of terrorist attacks involving

use of internet and mobile phones, it is increasingly becoming difficult for the

government to provide security with anonymity. Thus, in order to keep a better check

on miscreants government tends to do away with privacy and refrains from forming

any law. Further, the level of corruption prevalent among bureaucrats and politicians

prevents government from enacting any such law that can be used to fuel the

corruption or be used against normal legal proceedings.

Encryption policies: Encryption is the process of ciphering the readable text. It

provides a certain level of confidentiality to the data. Various telecom licences have

specific clauses relating to encryption which state that bulk encryption should not be

deployed by the licensee. The licensees are allowed to use up to 40 bit key length in

the symmetric key algorithms or its equivalent in other algorithms without obtaining

permission. However, if higher limits are to be deployed the licensee should take

prior written permission from licensor and deposit the decryption keys, split into two

parts, with the licensor. These lower limits in context of present high performance

systems prevent organizations from providing the adequate confidentiality to the

customer data. The security of decryption keys always remains an issue in such a

case.

Cost factors: The Indian telecommunication sector is highly competitive and the long raging

price war has resulted in very low ARPUs. With increasing competition and decreasing

ARPUs it becomes difficult for the company to spend on the issues such as privacy. The

company focus is shifted to other factors which can help increase the ARPU, such as value

added services (VAS). Also, company take advantage of lack of awareness among users on

the subject matter and it does nothing to increase the awareness as well.


7. Conclusion

In a view with the growth and complications of International trade, especially with the

influence of Internet and telecommunication, it is of utmost importance that a legal

framework be established setting specific standards relating to the manner and

purpose of assimilation of personal data offline as well as online. Consumers must

be made aware of sharing information at his/her will and no data should be collected

without explicit consent.

India is among the last countries to rollout 3G technologies whereas many countries

are already deploying 4G technologies. Owing to such developments, the

government still has to go a long way to introduce effective policies, regulations,

guidelines, etc. in the interest of not only the government or the telecom operators

but also in the interest of the end consumers and all this has to be done without

further delay. While the Government objective to protect the national security cannot

be overlooked, but the government needs to be careful that the industry does not

suffer because of over regulation, lack of transparency and possible loopholes.

For India to take full advantage of the great opportunities and benefits that Internet

presents to developing nations such as ours, effective risk management strategies

coupled with adequate legal documentation will go a long way in protecting and

nourishing the same.

An Overview of Consumer Privacy Regulations for TSPs in India

Education

Transcript of An Overview of Consumer Privacy Regulations for TSPs in India