DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT services



Similar documents
Promoting Cross Border Data Flows Priorities for the Business Community

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

National Cyber Security Policy -2013

Security and Privacy in Cloud Computing

Privacy and Cloud Computing for Australian Government Agencies

Legislative Language

STRATEGIC OBJECTIVE 2.4 OVERCOME GLOBAL SECURITY CHALLENGES THROUGH DIPLOMATIC ENGAGEMENT AND DEVELOPMENT COOPERATION

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Protecting Saskatchewan data the USA Patriot Act

CYBERCRIME AND THE LAW

How To Write An Article On The European Cyberspace Policy And Security Strategy

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Using AWS in the context of Australian Privacy Considerations October 2015

Internet Safety and Security: Strategies for Building an Internet Safety Wall

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

Cloud Computing: Legal Risks and Best Practices

005ASubmission to the Serious Data Breach Notification Consultation

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

How To Understand And Understand The European Priorities In Information Security

Privacy in the Cloud A Microsoft Perspective

Cyber Security Recommendations October 29, 2002

FACEBOOK STATEMENT RICHARD ALLAN NOVEMBER 11, My name is Richard Allan, and I am the Director of Public Policy

Some laws and standards in India are not technology neutral (e.g., electronic signatures), and these may be a barrier to interoperability.

Cyber Security Strategy of Georgia

Consultation Paper on Regulatory Framework for Over-the-top (OTT) services

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING?

Declaration of Internet Rights Preamble

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

A COMPREHENSIVE INTER-AMERICAN CYBERSECURITY STRATEGY: A MULTIDIMENSIONAL AND MULTIDISCIPLINARY APPROACH TO CREATING A CULTURE OF CYBERSECURITY

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Electronic Transactions Act and Digital Signature Act: Background, Major Provisions and Implication

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Security & privacy in the cloud; an easy road?

Data Protection Act Guidance on the use of cloud computing

Article 29 Working Party Issues Opinion on Cloud Computing

Mutual legal recognition of electronic communications and electronic signatures and paperless trade facilitation: challenges and opportunities

LEGISLATION ON CYBERCRIME IN NIGERIA: IMPERATIVES AND CHALLENGES

The USA Patriot Act Government Briefing. Kirsten Tisdale, Chris Norman, Sharon Plater & Alexandra (Gina) Henley September 30, 2004

How To Ensure Health Information Is Protected

Billing Code: Guidance Concerning the National Security Review Conducted by the Committee

Solving data residency and privacy compliance challenges Delivering business agility, regulatory compliance and risk reduction

Cloud Security Trust Cisco to Protect Your Data

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

Re: Request for Comment: Big Data and Consumer Privacy in the Internet Economy

U.S. Department of Justice FY 2016 Budget Request NATIONAL SECURITY. +$106.8 Million in Program Increases. FY 2016 Overview

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

RUSSIA CHINA NEXUS IN CYBER SPACE

Cloud Computing Security Considerations

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

DIVISION N CYBERSECURITY ACT OF 2015

Privacy and Access 20/20 Conference. Data Sovereignty and Data Localization. Does it matter?

Privacy in the Cloud Computing Era. A Microsoft Perspective

Cybercrime: risks, penalties and prevention

DATA PROTECTION LAWS OF THE WORLD. India

BALEFIRE GLOBAL OPEN DATA STRATEGIC SERVICES

NASSCOM Cyber Security Task Force Working Group Discussion Slides. June 10, 2015

An Overview of Cybersecurity and Cybercrime in Taiwan

Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie. Developments in Security Regulation

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

International Data Safeguards & Infrastructure Workbook. United States Internal Revenue Service

How To Respect The Agreement On Trade In Cyberspace

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

4.10 Information Management Policy

MULTILATERAL MEMORANDUM OF UNDERSTANDING CONCERNING CO-OPERATION IN THE EXCHANGE OF INFORMATION FOR AUDIT OVERSIGHT

OUTCOME OF PROCEEDINGS

Cyber security Indian perspective & Collaboration With EU

Cyber Security Strategy for Germany

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Mitigating and managing cyber risk: ten issues to consider

S. ll IN THE SENATE OF THE UNITED STATES A BILL

RECOGNIZING that the Participants each have functions and duties with respect to the protection of personal information in their respective countries;

Law of Georgia on Combating Human Trafficking. (Adopted on 28 April 2006, entered into force in 16 June 2006) Chapter I. General Provisions

Snapchat Law Enforcement Guide

Principles and Guidelines on Confidentiality Aspects of Data Integration Undertaken for Statistical or Related Research Purposes

Transcription:

DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT services April 24, 2015

DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT Services 1 Question 6: How should the security concerns be addressed with regard to OTT players providing communication services? What security conditions such as maintaining data records, logs etc. need to be mandated for such OTT players? And, how can compliance with these conditions be ensured if the applications of such OTT players reside outside the country? Please comment with justifications. DSCI Response: 1. Security concerns should be viewed from a risk point of view that should not only cover communication services, but entire gamut of services that run over the Internet. 2. From national security viewpoint, law of the land should be enforceable on all service providers who are providing services in India or to Indian citizens or residents, and be subjected to the territorial jurisdiction of India. But as a general principle, subjecting the private sector to the requirements of data/infrastructure localization in name of national security will prove to be counterproductive for variety of reasons including: Localization requirements prohibits organizations from achieving economies of scale and leveraging global souring hyperspecialization benefits, resulting in increasing cost of services that could be passed on to consumers It threaten major new advances in technology and innovation It threaten open architecture of the Internet If similar policy directions are followed by other countries, it will severely hit established Indian IT-BPM industry sector including the emerging cloud industry which is major contributor to the national GDP 3. Since many OTTs are located outside the country, there are various understandable national concerns such as threat to national security through cyber espionage and spread of social disharmony, difficulty in conducting cybercrime investigations and getting lawful access to data, difficulties in performing cyber forensics, privacy violations by foreign governments and companies, difficulties for intelligence agencies to perform surveillance and interception, among others that are challenging the sovereign rights of the nations. These national concerns esp. those relating to national security are genuine and important, and must be respected by the OTT players. For example, the OTT players should support Law Enforcement Agencies (LEAs) of different countries in crime investigations (access to data records, evidence) and forensics. The support should be transparent and timely, respecting the laws of the country from where request has originated, irrespective of the location of the data storage. While many of these issues and concerns need global discussions and solutions, the knee-jerk reaction of governments which favours data localization / regulation of OTTs is a matter of great concern. 4. To overcome the challenges identified above, governments including India should work with the other nations in plurilateral, multilateral and bilateral forums to discuss and come out with solutions. In the age of Internet, global cooperation is quintessential and therefore India should take leadership in identified forums to ensure that its issues are addressed. For example, India should take up reform of Mutual Legal Assistance Treaty (MLAT) with the U.S. or negotiate a special process for speedy data sharing on crime investigations with the U.S. as presently the Indian LEAs face issues when getting access to data records required from datacenters in the U.S. for investigating crimes that happened in India. India should strengthen bilateral, multilaterals,

DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT Services 2 plurilaterals, international treaties and other such mechanisms, and look to improve existing procedures for quick and effective information sharing and getting lawful access to data. Also, Indian LEAs should also be effectively resourced and trained to raise legal requests for gaining lawful access to data from service providers and through the MLAT route. Further, there is also a dire need to improve procedures and frameworks for data sought by LEAs from OTT service providers both in India and abroad. This can be done by establishing institutional frameworks possibly by establishing nodal agencies for seeking such information and standardizing disclosure norms across the service providers. 5. While the Indian legal framework through section 67C of the IT (Amendment) Act, 2008 has provision for mandating timeframe and specified format for retention of data records, logs etc. for intermediaries including the OTT players, no specific requirements have been detailed through the issuance of rules u/s 67C. However, various sectoral regulators have issued regulations/guidelines for data retention for organizations under their purview. Issuing rules under section 67C at the earliest will help standardize industry practices and expectations of LEAs on data retention. 6. The Indian legal framework and the LEAs should take cognizance of the nature of evolving technology architectures such as no storage of data on servers of the OTT service providers, dynamic allocation of encryption keys, etc so as not to scuttle innovation or unnecessarily create hurdles for the OTT players. Question 7: How should the OTT players offering app services ensure security, safety and privacy of the consumer? How should they ensure protection of consumer interest? Please comment with justifications. DSCI Response: 1. India has second largest Internet population, and is home to fourth largest start-up ecosystem in the world, and the reason for this has been minimum government interference in operations and governance. Given majority of users access Internet services through their mobile devices, there is a need to secure the entire ecosystem, to improve resilience. 2. There is no need to create special legal framework for OTTs to govern security, safety and privacy of consumers. The Indian legal & policy framework already has provisions for the same IT Act, National Cyber Security Policy, Consumer Protection Act, among others. Such legal and policy provisions can be surely be strengthened wherever necessary either in content or enforcement. For example, as per section 43A of IT (Amendment) Act, 2008, only Sensitive Personal Data or Information (SPDI) is to be protected using Reasonable Security Practices by Body Corporates. There also exist a patchwork of legislations governing privacy aspects in India. But there is no comprehensive privacy law in India unlike many other countries. India should enact comprehensive privacy law that has been in making for long. Much work has already been done in this regard by development of privacy framework by Justice AP Shah Committee. Similarly, the government is yet to release the encryption policy under section 84A of the IT (Amendment) Act, 2008 to for secure use of the electronic medium and for promotion of e-

DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT Services 3 governance and e-commerce. Increasing the encryption standards in the country will enhance security, safety and privacy of consumers. 3. Incorporation of security and privacy aspects should be market driven, with practices and procedures evolved from global best practices. Ensuring consumer security and privacy is in OTT providers best interests, as security and privacy are turning out to be important customer considerations. From security viewpoint, policy initiatives and guidelines should provide direction for securing data, without prescribing technology or standards to be adopted. Organizations should be allowed flexibility to implement the security measures that are most appropriate to mitigating the risks, and reduce vulnerabilities. Technology neutral policies allow OTT players to deploy technology and processes best suited to protect information in their specific case. Cyber threats evolve rapidly and, therefore, OTT players should have the flexibility to change the solutions they use to better protect their customers. 4. Development and adoption of standards, testing and certification mechanisms for security and privacy aspects (e.g. privacy seals or ratings of mobile apps) should be encouraged. For example, lot of work in being undertaken at international standard development organizations (SDOs) to develop standards in the privacy space including in areas of privacy notice and consent. India should participate in such forums to ensure its requirements and concerns are addressed. 5. In addition to steps taken by the government and by businesses, consumers also have an important role to play when it comes to protecting their information. Consumer education is pivotal in ensuring privacy and security.

DATA SECURITY COUNCIL OF INDIA Statement of confidentiality This document contains information that is proprietary and confidential to DATA SECURITY COUNCIL OF INDIA (DSCI), and shall not be disclosed outside transmitted, or duplicated, used in whole or in part for any purpose other than its intended purpose. Any use or disclosure in whole or in part of this information without explicit written permission of Data Security Council of India is prohibited. 2015 DSCI. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information