The telecom sector has always been a sensitive and highly regulated sector in India. While economic liberalization has led to the opening up of this sector to foreign investment, there have been growing concerns on the part of the government with respect to security of the telecom networks in India and their vulnerability to threats. Over the past few months, the government has introduced various measures in view of these concerns such as inter alia1,
- the requirement for telecom operators to obtain security clearance from the Department of Telecommunications (“DoT”) for core equipment supplied to them by foreign vendors; and
- the requirement that telecom operators are required to include a clause in their purchase orders to such foreign manufacturers to the effect that the foreign manufacturers shall effectuate a transfer of technology of all critical equipment and software to Indian manufacturers within a period of three years from the date of the purchase order. Criminal liability has been linked to non-compliance.
Though these measures attempt to address national security concerns, they have become the source of a lot of controversy and opposition due to their harsh and one-sided nature.
The DoT has now issued notification dated July 28, 2010 which amends the terms of the telecom licenses under which the telecom operators provide services and imposes certain specific obligations on the telecom operators (“Notification”)2. More importantly, this Notification provides clarification on the scope and nature of technology transfer; it is now clear that the scope of technology transfer being considered by the Government is much wider than was earlier perceived upon issue of the March 18, 2010 notification
ANALYSIS OF THE SALIENT FEATURES OF THE NOTIFICATION
Some of the salient features of the Notification are:
Security Policy. Within thirty (30) days of the date of the Notification, the telecom operators are to submit to the DoT their organizational policy on security and security management.
The telecom licenses currently contain detailed security provisions which the telecom operators have to necessarily comply with including terms and conditions for the inspection of network equipment, monitoring of traffic, provision of call data records and encryption norms. Since the DoT has not mandated any minimum standards or models to be followed by the telecom operators in framing such organizational policies and it is not yet clear whether such policies will be made public, the benefits of this requirement remain to be seen.
Network Audit. Telecom operators have to engage the services of internationally accredited agencies to conduct audit and certification of core equipment such as routers, switches, firewall, intrusion detection and prevention systems, VOIP and all software associated with all the telecom operations and services. In order to eliminate any risk of conflict, the telecom operators have to ensure that such audit agencies should not be from the same country as that of the vendors of the telecom operators.
Minimal dependence on foreign engineers. The telecom operators are to ensure that dependence of foreign engineers shall be made minimal and/or almost nil within a period of two (2) years from the date of the Notification.
The telecom licenses already contain provisions which make it mandatory for the telecom operators to obtain security clearance in respect of foreign nationals to be deployed for installation, operation and maintenance of the telecom network. The Government has now gone a step further and has made provisions to ensure that the there is no dependence on foreign expertise in network management.
Location details. The telecom operators have to ensure that within one (1) year from the date of their existing equipment are upgraded so as to ensure that the telecom operators are able to provide location details of mobile customers within a precision of upto fifty (50) meters.
The telecom licenses authorize the DoT to issue directions to the telecom operators on the precision of the data regarding subscriber locations which should be provided by the DoT. The DoT has exercised this right and has provided very specific location details which should be provided by the telecom operators.
Security and Business Continuity Agreement Template. The DoT has approved the template of a Security and Business Continuity agreement (“Security Agreement”) which has to be executed by the telecom operators and their vendors. This Security Agreement will be executed in addition to the main supply/ procurement/ license agreement which may be signed between the telecom operator and the vendors; it is to be noted that in case of any conflict, the terms of the Security Agreement would prevail.
While the Security Agreement has been eagerly awaited by the industry, it is perhaps the most stringent and disturbing of all the new policies. It is disheartening to note the somewhat haphazard manner in which it has been drafted and mandatorily enforced on operators and vendors. It contains numerous provisions on security related tests, access to network systems and transfer of intellectual property. We discuss some of the important ones below;
Transfer of Technology While the March 18, 2010 notification did state that the vendors would have to sign up to a transfer of technology clause, there was hope that the government would come out with reasonable guidelines on the scope of such transfer. However the only provision of the Security Agreement which relates to technology transfer reads as follows:
4.6.2 At the time of termination of contract or as and when required by the TSP, the vendor shall ensure making over all tools, procedures, documents, skills, softwares etc. using which TSP system were maintained operated, analysed, attended etc, by the Vendor.”3
This provision is particularly controversial since the intellectual property that vests in technology provided by vendors is perhaps the most important and valuable asset for the vendor. This provision read in line with the requirements of the March 18, 2010 notification is in effect asking for an outright transfer of the vendors intellectual property to a third party. Such a provision is highly objectionable and against the basic principles of commerce between private parties.
Escrow The telecom operator and the vendor have to enter into an agreement with an escrow agent authorized by Controller of Certifying Agencies (“CCA”) or the National Informatics Centre, Department of Information Technology, Government of India. This arrangement covers all information and documentation relating to the supply and service obligations of the vendor (including all software source codes) (“Escrow Materials”). The CCA shall create an encryption key for the Escrow Materials; the encrypted Escrow Materials shall be deposited in escrow and the decryption key shall remain with the escrow agent. The Escrow Materials may be released on the occurrence of any of the release events such as (a) failure of the vendor to provide support, (b) corporate reorganization (c) inspection of source codes experts designated by the DoT, (d) in any event where the DoT is satisfied about the need and requirement of such release.
Some of the release events included in the escrow provision are draconian in the sense that DoT has been given the right to unilaterally obtain the source codes at its discretion. Coupled with the Transfer of Technology provision (which can be triggered not only by the DoT but also by the telecom operator), it seems that the vendor is effectively being asked to sign away all their rights in their intellectual property.
Personal Data The Security Agreement imposes certain obligations on vendors where they process any sensitive or personal data in India inter alia that the vendor should be a registered safe harbor in India. The Notification also states that the vendors need to comply with the “Data Protection Legislation” which is defined as; “collectively the Directive applicable local legislation, which includes in respect of Personal Data originating in the India, the IT ACT, 2000 and other relevant Laws”.4
The DoT had earlier issued a Direction dated February 26, 2010 to ensure compliance by the service providers regarding confidentiality of information of subscribers and privacy of communications. The telecom licenses also contain provisions for ensuring the privacy and confidentiality of information of subscribers. The Information Technology (Amendment) Act, 2008 has been brought into force from October 27, 2009, also includes a telecom service provider in the category of an intermediary and is liable for any offence under the said act.
It should also be noted that India does not have any regulations for safe harbor registration; as such the intention of Government in including requirements for safe harbor registration is not clear at this point. Moreover, it can be argued that provisions for processing of personal data cannot be made applicable to a vendor who is simply a supplier of hardware and software unless such vendor actually manages and control the telecom network. It remains to be seen if the Government comes up with new requirements for safe harbor registration.
In the event of any security breach, the affected equipment shall be taken out of service ad a penalty shall be levied on the telecom operator amounting to INR 50,00,00,000 for each affected purchase order and a penalty of 100% of the contract value.
It should be noted that while all the requirements under the Notification (except the requirement for telecom operators and vendors to execute the Security Agreement)are in the nature of obligations cast on the telecom operator, in all likelihood, the telecom operators will execute back-to-back agreements with the vendors vide which the vendors would have to comply with these requirements. Accordingly, vide the Notification and other similar requirements promulgated by the DoT, the vendors are indirectly compelled to abide by the DoT regulations. Notwithstanding the foregoing, the requirement to execute the Security Agreement is an obligation that has been imposed by the DoT directly on the vendors.
The aim of the Government in implementing such regulations as stated in the March 18, 2010 notification is that there is a “need to reduce vulnerability in the long run”. It is true that while the telecom sector in India is very lucrative, India does not have a very strong indigenous telecom manufacturing industry. Since telecom is a security sensitive sector, the government’s concerns in this area are understandable. However, while some measures which have been adopted by the government such as security vetting of vendors may be welcome and desirable, the unilateral rights to take over the intellectual property rights of vendors without providing justification has met with widespread disapproval not only from the vendors but from telecom operators as well. If such measures are not changed it will cause great prejudice to Indian telecom since foreign vendors are likely to shy away from a regulatory set up which unfairly empowers the government to literally take over their assets. Further, such complex and strict regulatory conditions may also be akin to the imposition of non- tariff barriers on free trade and may be viewed as potential WTO non-compliance.
If the telecom operators follow the DoT guidelines and obtain security clearance foreign vendors and the equipment, there is very little justification on the reasoning adopted by the government that such foreign vendors would continue to pose a security threat to the country. If the Government believes that it has justified reasons for believing that the operations of any such security vetted vendors poses a threat to national security, the Government can cancel the security clearance; such cancellation should off course only be resorted to upon observance of the principles of natural justice. Further a well formulated escrow mechanism can be considered which has well defined release events which do not operate at the mere discretion of the Government. Such release events could be in the form of imminent and grave national security threats. While the Government’s efforts to bolster the Indian telecom manufacturing industry is understandable, this aim cannot be effectively achieved by imposing regulations which compel foreign vendors to give their assets to indigenous entities.
It is hoped that the government will soon come out with positive and encouraging clarifications and amendments to the Notification and template agreement.
– Rakhi Jindal, Vivek Kathpalia & Vaibhav Parikh
You can direct your queries or comments to the authors
1 DoT Notification dated March 18, 2010 issued by the DoT; http://www.dot.gov.in/as/2010/as_22.03.2010.pdf
2 (i) Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(25) amends the Unified Access Service License Agreement; (ii) Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(26) amends the Basic Service License Agreement; (iii) Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(27) and Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(28) and Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(29) amends the Cellular Mobile Telephone Service License Agreement.
3 The Security Agreement defines TSP as follows: “TSP means Telecom Service Provider licensed under section 4 of Indian Telegraph Act 1885 by the Licensor, Government of India”
4 The Security Agreement defines Directive as follows: “Directive of the LICENSOR with regard to the processing of personal data and on the free movement of such data, or any subsequent legislation in relation thereto”