TSPs path to the data protection

To ensure full compliance with the upcoming DPDP Bill, telcos will need to revamp their data management processes and reconsider their consent architecture

India’s exponential growth in the last five years has been a shining beacon, in an otherwise bleak world economic outlook. Credit, for example, must be given to the government’s steady focus to expand India’s technology sector. The RBI estimated the size of India’s digital economy to be USD 222.5 billion in 2019 while a MEITY report suggests that India’s digital economy could be valued between USD 500 billion to USD 1 trillion by 2025.

A key component of this growth is likely to be India’s telecom sector, with the newly introduced 5G technology expected to contribute USD 450 billion to the economy between 2023 and 2040. With such rapid advancements, particularly in disruptive and highly data-intensive technologies, the need of the hour is to toe the fine line between promoting innovation and protecting individuals’ data and privacy.

The Government of India appears to be committed to seizing this opportunity. In November 2022, the MEITY released the draft of the Digital Personal Data Protection Bill (DPDP) providing for the data protection of individuals for public consultation. Further, the MEITY is on the anvil of releasing a new law to replace the age-old Information Technology Act of 2000, which continues to govern India’s technology sector. As reported, the Union Cabinet has approved the draft DPDP Bill 2023 and is likely to introduce it in the upcoming monsoon session of the Parliament.

TSPs will have to develop engineering solutions to provide subscribers with a summary of data actions and a list of sharing partners.

ADOPTING THE DPDP BILL

Given that the DPDP Bill is expected to overhaul the data protection and privacy regime, its impact on India’s telecom industry which is built on millions of subscribers’ data will be significant. Players in the telecom sector will have to ensure compliance with the new regime, while also ensuring that they adhere to their sectoral compliances. Business as usual, as they say, will have to change.

Let’s look at a couple of examples.

The unified license (UL) that telecom service providers (TSPs) are required to obtain places minimal data governance-related conditions on them. TSPs are broadly required to use their “best efforts” to ensure that the collection of information, including photo ID as required under the UL, is done only to the extent necessary for providing their service. TSPs are also required to ensure the confidentiality of such information unless disclosure is necessary for providing their service. These requirements are not similar to the privacy standards in jurisdictions like the EU. Even the IT Act contemplates higher compliances for the collection and processing of only sensitive personal information.

Contrasting the above with the requirements that the proposed DPDP Bill places on data fiduciaries like TSPs who will now have to, among others, provide an itemised notice to their customers of the data, including in cases where consent was collected in the past. This also includes the data they want to collect and the specific purpose. It also aims to mandate that TSPs can process such data (i.e., undertake activities like collection, structuring, combination, sharing etc.) only for the purpose specified in the notice, and they must obtain customers’ consent (whether explicit or deemed) for such processing.

To comply with these requirements, TSPs would certainly need to overhaul their data management processes and rethink their consent architecture. For example, TSPs would need to understand whether their usual methods of processing subscriber data would now require explicit consent for each class of data, or if deemed consent would suffice. Reliance on ‘deemed consent’ will also require greater thought as there is limited clarity on how this will unfold practically.

The DPDP Bill offers various rights to data principals, who are subscribers of TSPs. These rights include the ability to receive information about their processed data, which would increase compliance costs for TSPs as they would need to develop engineering solutions to provide subscribers with a summary of data actions and a list of sharing partners. Additionally, the bill ensures timely resolution of grievances. On the other hand, the UL does not guarantee any subscriber rights regarding TSPs’ data processing or an effective grievance mechanism.

Currently, TSPs only need to establish a “complaint centre” to address service-related concerns. To comply with the data principal rights outlined in the DPDP Bill, TSPs will likely need to revamp their operations. This could involve investing in staff training to address data privacy concerns and implementing engineering solutions for specific processes. Furthermore, TSPs may need to adopt stricter timelines for grievance resolution, considering the seven-day appellate period proposed in the DPDP Bill, compared to the 30 days stipulated by telecom regulations.

While this article highlights only a couple of examples, there will likely be many more points of conflict which emerge as the data privacy framework matures in India. As such, the Indian telecom sector will need to be methodical about how they approach these changes with regular compliance assessments and audits as well as devising a flexible and practical compliance roadmap, in close coordination with the government to highlight specific issues the sector may face while achieving compliance with the proposed law.

By Kirti Mahapatra & Punya Varma

Kirti is a Partner and Punya is a Principal Associate with Shardul Amarchand Mangaldas & Co.

feedbackvnd@cybermedia.co.in