Three months ago, in an article in this paper, I wrote about the utter meaninglessness of persisting with the Other Service Provider (OSP) regulations. I pointed out that while these restrictions may have made sense a decade ago, when data was scarce, the insistence on continuing to require the Information Technology (IT) industry to comply with its onerous technical and organisational requirements in the current context is unwise.
On Thursday night, the Government of India released a set of revised OSP guidelines that have effectively put an end to the inspector raj that these outdated regulations had perpetuated for so long.
There is no doubt that the amendments, in themselves, are both broad and far-reaching. In the first place, the types of entities covered by the regulations have now been limited to those that carry out voice-based business process outsourcing services — a radical change from the previous expansive definition that included the full gamut of IT-enabled services.
The previous broad definition was the reason for random acts of harassment by department of telecommunications (DoT) officials who were free to use the ambiguity inherent in the language to try and bring all sorts of IT services within its ambit.
Those few entities to whom OSP regulations now apply only need to comply with a few security obligations as well as ensure, at a high-level, that toll bypass does not occur. They are free to share infrastructure between international and domestic OSPs and use closed user groups for internal communications.
The work-from-home restrictions that were particularly chaffing in the context of the highly mobile workforce of today have been changed into a work-from-anywhere regime. In addition, restrictions such as the need for a network diagram and using static IP addresses for all agents working from home, have all been done away with.
Unlike under the previous regime, international OSPs are free to host their EPABX overseas and are only obliged to maintain a copy of their call data records (CDR) and system logs in India.
Domestic OSPs, however, will still have to maintain an EPABX and client data centre in India. With respect to specific instances of unlawful content, OSP is required to extend support to authorities in tracing malicious calls, messages or communications carried over its network.
But perhaps most significant is the fact that OSPs are no longer required to register themselves with the DoT.
That along with all the associated compliance obligations — the filing of network diagrams, requirements to furnish bank guarantees and the obligation to ensure that each additional site obtains a separate registration — have been eliminated entirely.
It is this liberalisation from registration that is likely to have the greatest impact on the sector. Where, in the past, companies had to think twice before setting out to establish businesses that provided services that, even tangentially, might have been covered by the extremely broad provisions of the definition, they can now simply set up their operations and make sure they comply with the few requirements that apply to that portion of their business that might be considered to be a voice-based business process outsourcing service.
There is work to be done unwinding the mountain of compliance that has already been put in place. As a result of this reform, thousands of site-specific registrations have been rendered infructuous virtually overnight and bank guarantees that have been submitted over the decades will have to be returned.
But perhaps, most significantly, the cadres of bureaucrats whose sole business it was to manage this obscure corner of the regulatory landscape will have to be disbanded and put to better use elsewhere.
As important as it is that we celebrate this success, we should, at the same time, pause to reflect on what this reform signals. OSPs are not the glamorous poster boys of the IT industry — that title is reserved for the e-commerce unicorns and the many iconic start-ups that dot the modern tech landscape.
Neither are they the titans of Indian industry who have built the many IT products that today run the banking sector, the health care space or even, in several instance, the government. These companies serve a more mundane role —performing operations that keep things ticking behind the scenes, supporting the front-offices of every type of business on the planet.
This is an industry that has no white knight to espouse its cause — and as a result, for decades had no option but to put up with the increasingly onerous obligations they were being subjected to.
Reforming these regulations was never going to be front page news. However, the long-term impact of these changes are going to be immeasurable.
But, more significantly, by doing away with such a staple of bureaucratic control as mandatory registration as well as eliminating all mention of penal consequences for breach are indications that the government is intent on making changes that will actually make a difference. I am eager to see what the government turns its attention to next.
Rahul Matthan is a partner at Trilegal, the author of Privacy 3.0 and has a podcast, Ex Machina
The views expressed are personal