The telecom sector is very heavily regulated. We are told exactly what we have to store, how much we have to store, for how long we have to store,” said Anjali Hans, Senior Vice President of Regulatory & Corporate Affairs at Vodafone Idea Limited, at MediaNama’s discussion on the impact of the Personal Data Protection Bill, 2019 on cloud and telecom services. “But for us, I think the sending of data outside India, the cross-border transfer is one of the important aspects of the data protection bill.” Pointing out that telecom operators were already required to make sure that user information stays in the country, Hans said she hoped that there would be “harmonization within sectors” and a “balanced approach” that would reduce the regulatory burden on telecom operators.

This discussion was supported by Microsoft and Google. Comments have been edited for brevity and clarity.

Existing regulations for data collection in telecom

When I say harmonized, I am saying harmonized as a horizontal regulation that is applicable to telecom,” she said. “So, I will probably get a relaxation in my current clauses [from the license]”, she added. 

On being controlled by two sets of law — the telecom license on one hand and the PDP Bill on the other — Hans said that it would be limiting for telecom businesses. “I mean we are basically data controllers of our subscribers, and we are processing the very data that we control, or otherwise we are engaging processors,” she said. “We could have entities that are carrying out billing for us. My post-paid customer has given his bank account details for a standing instruction and for the amount to be debited every month. So, if financial information is considered as sensitive personal data, then that one item in itself will prevent me from getting maybe my processing done at a country of my choice.”

Recommendation: Hans said, “It should not be like I am supposed to fix past data, it has to be applied the moment it comes in, time needs to be given to bring it into play. So, I think it was earlier, two years was given. That amount of time is required to implement the bill. And during this period maybe I think we need to adopt an upgraded approach even including on penalties. To say straight away this is the law implemented, otherwise you are going to get penalized, it’s like a really hard-handed thing especially when there are a lot of things where we still don’t know how we are going to deal with it.”

[emphasis ours]

Are CDRs personal data or inferred data?

Nikhil Narendran, Partner at Trilegal, said, “The ways in which a telco handles your data is very, very complicated. Right from the IP data records that’s implicit to the traffic that passes through their networks to the back-end processes like interception and monitoring and other things, it’s pretty much impossible for a telco to go and take consent from the customer.” When it comes to sensitive data like location information, “that kind of granular level of consent will be impossible for a telco to handle under the current PDP Bill.”

Hans said that some aspects of telecom services wouldn’t require consent in the first place, as they are an integral part of the service being provided. “We get our customers to sign a CAF, a customer application form, and the data which is usually collected is prescribed by the DoT — name, address, billing preferences, mobile number portability data, telemarketing preferences, etc. But in so far as maintaining a Call Detail Record for every customer goes, that is the very fundamental of the service that is being provided, so I do not need to ask my customers permission to create a CDR.” Right down to the format, Hans said, telecom operators were by law required to maintain CDR data including location information.

All this data that is collected [from CDR] will come under the ambit of inferred data because that is by virtue of provision of the service,” Hans added. Note that when it comes to data that is created not by the user but by the service provider, the issue of inferred data makes it hard to pinpoint who owns the data, as even though it is made from user behaviour, the telco still “creates” and therefore “owns” it — this could be in conflict with the PDP bill, under which CDRs may be classified as personal data. Hans said she was worried about the  PDP Bill adding such information “to the ambit and scope of the data protection bill to include this data into that whole gamut of privacy.”

No exemption for data that is integral to providing a service

Narendran said that there was no standard exemption to the PDP Bill’s provisions that exempted industries like telecom and banking just because there are other laws that require the collection of data that might have higher consent standards under the new law. Hans said that while telcos might face legal issues when it comes to using or processing data, there may be a problem, but that creating data like CDR would not be an issue as that is data that is generated by telcos’ infrastructure (when they make calls or send texts), and not information that is provided by subscribers.

Narendran conceded that data that telcos collect may be integral to provide the service — much as how Facebook collects users’ browsing behaviour, like recording when they zoom into a picture. Unlike in the GDPR, which exempts data collection for the purpose of providing a service, the PDP Bill does not clearly carve out this kind of exemption. In that kind of case, Narendran questioned how telcos could “inform the customer, get their consent and disclose all the processing that [telcos] are doing with respect to the data, as that’s a huge amount of data being processed, in a way that is incomprehensible to the common man — and under the PDP bill you have to make sure that it’s communicated to the end-user in a manner which is transparent and easy to understand.”

Read our complete coverage of the discussion here.