wordpress blog stats
Connect with us

Hi, what are you looking for?

#NAMA: How the Personal Data Protection Bill, 2019 would impact the telecom industry

The telecom sector is very heavily regulated. We are told exactly what we have to store, how much we have to store, for how long we have to store,” said Anjali Hans, Senior Vice President of Regulatory & Corporate Affairs at Vodafone Idea Limited, at MediaNama’s discussion on the impact of the Personal Data Protection Bill, 2019 on cloud and telecom services. “But for us, I think the sending of data outside India, the cross-border transfer is one of the important aspects of the data protection bill.” Pointing out that telecom operators were already required to make sure that user information stays in the country, Hans said she hoped that there would be “harmonization within sectors” and a “balanced approach” that would reduce the regulatory burden on telecom operators.

This discussion was supported by Microsoft and Google. Comments have been edited for brevity and clarity.

Existing regulations for data collection in telecom

When I say harmonized, I am saying harmonized as a horizontal regulation that is applicable to telecom,” she said. “So, I will probably get a relaxation in my current clauses [from the license]”, she added. 

On being controlled by two sets of law — the telecom license on one hand and the PDP Bill on the other — Hans said that it would be limiting for telecom businesses. “I mean we are basically data controllers of our subscribers, and we are processing the very data that we control, or otherwise we are engaging processors,” she said. “We could have entities that are carrying out billing for us. My post-paid customer has given his bank account details for a standing instruction and for the amount to be debited every month. So, if financial information is considered as sensitive personal data, then that one item in itself will prevent me from getting maybe my processing done at a country of my choice.”

Advertisement. Scroll to continue reading.

Recommendation: Hans said, “It should not be like I am supposed to fix past data, it has to be applied the moment it comes in, time needs to be given to bring it into play. So, I think it was earlier, two years was given. That amount of time is required to implement the bill. And during this period maybe I think we need to adopt an upgraded approach even including on penalties. To say straight away this is the law implemented, otherwise you are going to get penalized, it’s like a really hard-handed thing especially when there are a lot of things where we still don’t know how we are going to deal with it.”

[emphasis ours]

Are CDRs personal data or inferred data?

Nikhil Narendran, Partner at Trilegal, said, “The ways in which a telco handles your data is very, very complicated. Right from the IP data records that’s implicit to the traffic that passes through their networks to the back-end processes like interception and monitoring and other things, it’s pretty much impossible for a telco to go and take consent from the customer.” When it comes to sensitive data like location information, “that kind of granular level of consent will be impossible for a telco to handle under the current PDP Bill.”

Hans said that some aspects of telecom services wouldn’t require consent in the first place, as they are an integral part of the service being provided. “We get our customers to sign a CAF, a customer application form, and the data which is usually collected is prescribed by the DoT — name, address, billing preferences, mobile number portability data, telemarketing preferences, etc. But in so far as maintaining a Call Detail Record for every customer goes, that is the very fundamental of the service that is being provided, so I do not need to ask my customers permission to create a CDR.” Right down to the format, Hans said, telecom operators were by law required to maintain CDR data including location information.

All this data that is collected [from CDR] will come under the ambit of inferred data because that is by virtue of provision of the service,” Hans added. Note that when it comes to data that is created not by the user but by the service provider, the issue of inferred data makes it hard to pinpoint who owns the data, as even though it is made from user behaviour, the telco still “creates” and therefore “owns” it — this could be in conflict with the PDP bill, under which CDRs may be classified as personal data. Hans said she was worried about the  PDP Bill adding such information “to the ambit and scope of the data protection bill to include this data into that whole gamut of privacy.”

No exemption for data that is integral to providing a service

Narendran said that there was no standard exemption to the PDP Bill’s provisions that exempted industries like telecom and banking just because there are other laws that require the collection of data that might have higher consent standards under the new law. Hans said that while telcos might face legal issues when it comes to using or processing data, there may be a problem, but that creating data like CDR would not be an issue as that is data that is generated by telcos’ infrastructure (when they make calls or send texts), and not information that is provided by subscribers.

Narendran conceded that data that telcos collect may be integral to provide the service — much as how Facebook collects users’ browsing behaviour, like recording when they zoom into a picture. Unlike in the GDPR, which exempts data collection for the purpose of providing a service, the PDP Bill does not clearly carve out this kind of exemption. In that kind of case, Narendran questioned how telcos could “inform the customer, get their consent and disclose all the processing that [telcos] are doing with respect to the data, as that’s a huge amount of data being processed, in a way that is incomprehensible to the common man — and under the PDP bill you have to make sure that it’s communicated to the end-user in a manner which is transparent and easy to understand.”

Advertisement. Scroll to continue reading.

Read our complete coverage of the discussion here.

Written By

I cover the digital content ecosystem and telecom for MediaNama.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ