[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Bearing in mind the recent discussion on BT etc recently thought I would
post the following email on recent changes to Indian Law
----- Forwarded message from Nishith Desai Associates <nda@xxxxxxxxxx> -----
Date: Wed, 4 Aug 2010 22:10:19 +0530 (IST)
From: Nishith Desai Associates <nda@xxxxxxxxxx>
Subject: Telecom Hotline: Stringent Rules for Foreign Telecom Vendors; August 04,
2010
August 04, 2010
STRINGENT RULES FOR FOREIGN TELECOM VENDORS
Background
The telecom sector has always been a sensitive and highly regulated sector in
India. While economic liberalization has led to the opening up of this sector to
foreign investment, there have been growing concerns on the part of the government
with respect to security of the telecom networks in India and their vulnerability to
threats. Over the past few months, the government has introduced various measures
in view of these concerns such as inter alia1,
(i) the requirement for telecom operators to obtain security clearance
from the Department of Telecommunications (âDoTâ) for core equipment supplied to
them by foreign vendors; and
(ii) the requirement that telecom operators are required to include a
clause in their purchase orders to such foreign manufacturers to the effect that the
foreign manufacturers shall effectuate a transfer of technology of all critical
equipment and software to Indian manufacturers within a period of three years from
the date of the purchase order. Criminal liability has been linked to non-compliance.
Though these measures attempt to address national security concerns, they have
become the source of a lot of controversy and opposition due to their harsh and
one-sided nature.
The DoT has now issued notification dated July 28, 2010 which amends the terms
of the telecom licenses under which the telecom operators provide services and
imposes certain specific obligations on the telecom operators (âNotificationâ) 2.
More importantly, this Notification provides clarification on the scope and nature
of technology transfer; it is now clear that the scope of technology transfer being
considered by the Government is much wider than was earlier perceived upon issue of
the March 18, 2010 notification
Analysis of the Salient Features of the Notification
Some of the salient features of the Notification are:
1. Security Policy. Within thirty (30) days of the date of the
Notification, the telecom operators are to submit to the DoT their organizational
policy on security and security management.
The telecom licenses currently contain detailed security provisions which the
telecom operators have to necessarily comply with including terms and conditions for
the inspection of network equipment, monitoring of traffic, provision of call data
records and encryption norms. Since the DoT has not mandated any minimum standards
or models to be followed by the telecom operators in framing such organizational
policies and it is not yet clear whether such policies will be made public, the
benefits of this requirement remain to be seen.
2. Network Audit. Telecom operators have to engage the services of
internationally accredited agencies to conduct audit and certification of core
equipment such as routers, switches, firewall, intrusion detection and prevention
systems, VOIP and all software associated with all the telecom operations and
services. In order to eliminate any risk of conflict, the telecom operators have to
ensure that such audit agencies should not be from the same country as that of the
vendors of the telecom operators.
3. Minimal dependence on foreign engineers. The telecom operators are
to ensure that dependence of foreign engineers shall be made minimal and/or almost
nil within a period of two (2) years from the date of the Notification.
The telecom licenses already contain provisions which make it mandatory for
the telecom operators to obtain security clearance in respect of foreign nationals
to be deployed for installation, operation and maintenance of the telecom network.
The Government has now gone a step further and has made provisions to ensure that
the there is no dependence on foreign expertise in network management.
4. Location details. The telecom operators have to ensure that within
one (1) year from the date of their existing equipment are upgraded so as to ensure
that the telecom operators are able to provide location details of mobile customers
within a precision of upto fifty (50) meters.
The telecom licenses authorize the DoT to issue directions to the telecom
operators on the precision of the data regarding subscriber locations which should
be provided by the DoT. The DoT has exercised this right and has provided very
specific location details which should be provided by the telecom operators.
5. Security and Business Continuity Agreement Template. The DoT has
approved the template of a Security and Business Continuity agreement (âSecurity
Agreementâ) which has to be executed by the telecom operators and their vendors.
This Security Agreement will be executed in addition to the main supply/
procurement/ license agreement which may be signed between the telecom operator and
the vendors; it is to be noted that in case of any conflict, the terms of the
Security Agreement would prevail.
While the Security Agreement has been eagerly awaited by the industry, it is
perhaps the most stringent and disturbing of all the new policies. It is
disheartening to note the somewhat haphazard manner in which it has been drafted
and mandatorily enforced on operators and vendors. It contains numerous provisions
on security related tests, access to network systems and transfer of intellectual
property. We discuss some of the important ones below;
(i) Transfer of Technology While the March 18, 2010 notification
did state that the vendors would have to sign up to a transfer of technology clause,
there was hope that the government would come out with reasonable guidelines on the
scope of such transfer. However the only provision of the Security Agreement which
relates to technology transfer reads as follows:
â4.6.2 At the time of termination of contract or as and when required
by the TSP, the vendor shall ensure making over all tools, procedures, documents,
skills, softwares etc. using which TSP system were maintained operated, analysed,
attended etc, by the Vendor.â 3
This provision is particularly controversial since the intellectual property
that vests in technology provided by vendors is perhaps the most important and
valuable asset for the vendor. This provision read in line with the requirements of
the March 18, 2010 notification is in effect asking for an outright transfer of the
vendors intellectual property to a third party. Such a provision is highly
objectionable and against the basic principles of commerce between private parties.
(ii) Escrow The telecom operator and the vendor have to enter into
an agreement with an escrow agent authorized by Controller of Certifying Agencies
(âCCAâ) or the National Informatics Centre, Department of Information Technology,
Government of India. This arrangement covers all information and documentation
relating to the supply and service obligations of the vendor (including all software
source codes) (âEscrow Materialsâ). The CCA shall create an encryption key for the
Escrow Materials; the encrypted Escrow Materials shall be deposited in escrow and
the decryption key shall remain with the escrow agent. The Escrow Materials may be
released on the occurrence of any of the release events such as (a) failure of the
vendor to provide support, (b) corporate reorganization (c) inspection of source
codes experts designated by the DoT, (d) in any event where the DoT is satisfied
about the need and requirement of such release.
Some of the release events included in the escrow provision are draconian in
the sense that DoT has been given the right to unilaterally obtain the source codes
at its discretion. Coupled with the Transfer of Technology provision (which can be
triggered not only by the DoT but also by the telecom operator), it seems that the
vendor is effectively being asked to sign away all their rights in their
intellectual property.
(iii) Personal Data The Security Agreement imposes certain
obligations on vendors where they process any sensitive or personal data in India
inter alia that the vendor should be a registered safe harbor in India. The
Notification also states that the vendors need to comply with the âData Protection
Legislationâ which is defined as; âcollectively the Directive applicable local
legislation, which includes in respect of Personal Data originating in the India,
the IT ACT, 2000 and other relevant Lawsâ.4
The DoT had earlier issued a Direction dated February 26, 2010 to ensure
compliance by the service providers regarding confidentiality of information of
subscribers and privacy of communications. The telecom licenses also contain
provisions for ensuring the privacy and confidentiality of information of
subscribers. The Information Technology (Amendment) Act, 2008 has been brought into
force from October 27, 2009, also includes a telecom service provider in the
category of an intermediary and is liable for any offence under the said act.
It should also be noted that India does not have any regulations for safe
harbor registration; as such the intention of Government in including requirements
for safe harbor registration is not clear at this point. Moreover, it can be argued
that provisions for processing of personal data cannot be made applicable to a
vendor who is simply a supplier of hardware and software unless such vendor actually
manages and control the telecom network. It remains to be seen if the Government
comes up with new requirements for safe harbor registration.
6. Penalty. In the event of any security breach, the affected equipment
shall be taken out of service ad a penalty shall be levied on the telecom operator
amounting to INR 50,00,00,000 for each affected purchase order and a penalty of 100%
of the contract value.
Conclusion
It should be noted that while all the requirements under the Notification
(except the requirement for telecom operators and vendors to execute the Security
Agreement)are in the nature of obligations cast on the telecom operator, in all
likelihood, the telecom operators will execute back-to-back agreements with the
vendors vide which the vendors would have to comply with these requirements.
Accordingly, vide the Notification and other similar requirements promulgated by the
DoT, the vendors are indirectly compelled to abide by the DoT regulations.
Notwithstanding the foregoing, the requirement to execute the Security Agreement is
an obligation that has been imposed by the DoT directly on the vendors.
The aim of the Government in implementing such regulations as stated in the
March 18, 2010 notification is that there is a âneed to reduce vulnerability in the
long runâ. It is true that while the telecom sector in India is very lucrative,
India does not have a very strong indigenous telecom manufacturing industry. Since
telecom is a security sensitive sector, the governmentâs concerns in this area are
understandable. However, while some measures which have been adopted by the
government such as security vetting of vendors may be welcome and desirable, the
unilateral rights to take over the intellectual property rights of vendors without
providing justification has met with widespread disapproval not only from the
vendors but from telecom operators as well. If such measures are not changed it will
cause great prejudice to Indian telecom since foreign vendors are likely to shy away
from a regulatory set up which unfairly empowers the government to literally take
over their assets. Further, such c
omplex and strict regulatory conditions may also be akin to the imposition of non-
tariff barriers on free trade and may be viewed as potential WTO non-compliance.
If the telecom operators follow the DoT guidelines and obtain security
clearance foreign vendors and the equipment, there is very little justification on
the reasoning adopted by the government that such foreign vendors would continue to
pose a security threat to the country. If the Government believes that it has
justified reasons for believing that the operations of any such security vetted
vendors poses a threat to national security, the Government can cancel the security
clearance; such cancellation should off course only be resorted to upon observance
of the principles of natural justice. Further a well formulated escrow mechanism can
be considered which has well defined release events which do not operate at the mere
discretion of the Government. Such release events could be in the form of imminent
and grave national security threats. While the Governmentâs efforts to bolster the
Indian telecom manufacturing industry is understandable, this aim cannot be
effectively achieved by imposing regulat
ions which compel foreign vendors to give their assets to indigenous entities.
It is hoped that the government will soon come out with positive and
encouraging clarifications and amendments to the Notification and template agreement.
_______________
1 DoT Notification dated March 18, 2010 issued by the DoT;
http://www.dot.gov.in/as/2010/as_22.03.2010.pdf
2 (i) Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(25) amends the Unified
Access Service License Agreement; (ii) Notification No.
10-15/2009-AS.III/Vol.II/(Pt.)/(26) amends the Basic Service License Agreement;
(iii) Notification No. 10-15/2009-AS.III/Vol.II/(Pt.)/(27) and Notification No.
10-15/2009-AS.III/Vol.II/(Pt.)/(28) and Notification No.
10-15/2009-AS.III/Vol.II/(Pt.)/(29) amends the Cellular Mobile Telephone Service
License Agreement.
3 The Security Agreement defines TSP as follows: âTSP means Telecom Service
Provider licensed under section 4 of Indian Telegraph Act 1885 by the Licensor,
Government of Indiaâ
4 The Security Agreement defines Directive as follows: âDirective of the
LICENSOR with regard to the processing of personal data and on the free movement of
such data, or any subsequent legislation in relation theretoâ
- Rakhi Jindal, Vivek Kathpalia & Vaibhav Parikh
----- End forwarded message -----
Attachment:
signature.asc
Description: Digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq