The date May 25, 2018 went into history books as it was the day when the European Union implemented the General Data Protection Regulation (GDPR) across the region binding tech giants like Google and Facebook in the ropes of responsibilities when it comes to users data collection. The regulator made it mandatory for companies to be very clear about what they collect and how they do it, as well as give users control over their data collection. Almost two months after the decision, India’s telecom regulator, that has been brainstorming on how to protect the data of the country’s citizens, has recommended stricter rules to bolster the existing framework for the protection of users’ personal data.
The Telecom Regulatory Authority of India (TRAI) has issued a list of recommendations to safeguard Indian citizens and their data when they go online. In a letter to Aruna Sundarajan, Secretary, Department of Telecommunications, Ministry of Communications, TRAI Secretary SK Gupta said that since data is ubiquitous in the "Digital Era" today, the issue of protection of personal data of the users is a matter of deep concern for everyone.
“Since large portion of data flows through the telecom networks, the Authority felt it necessary to examine the issue of privacy and security of data in telecom networks and the measures that need to be adopted to ensure the privacy and security of data of telecom consumers,” Gupta said. Accordingly, the authority has suo-moto issued a consultation paper on the issue. The recommendations are based on the the definitions of “Data” as provided under Information Technology Act, 2000, and “Personal Information” and “Sensitive Personal Data and information” as provided under Sensitive Personal Data and Information Rules, 2011.
On personal data, the authority said that each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data, and all entities in the digital ecosystem, which control or process the data, should be restrained from using metadata to identify the individual users.
To suffice the existing Data Protection Framework, the authority recommends that to protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
“Till such time a general data protection law is notified by the Government, the existing Rules/ License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers and Applications. Privacy by design principle should be made applicable to all the entities in the digital ecosystem viz, Service providers, Devices, Browsers, Operating Systems, Applications etc. The concept of "Data Minimisation" should be inherent to the Privacy by Design principle implementation. Here “Data Minimisation” denotes the concept of collection of bare minimum data which is essential for providing that particular service to the consumers,” TRAI noted in its recommendations.
For user empowerment, the authority recommends that the Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers and to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers. To bolster the data privacy and security of telecom networks, TRAI said that the Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors. You can read the complete list of recommendations here.
Following the announcement, the Cellular Operators Association of India (COAI) -- the industry association of mobile service providers, telecom equipment makers, internet and broadband service providers in India -- has welcomed TRAI’s recommendations.
“We are happy with the TRAI’s recommendations on Privacy, Security and Ownership of Data as the regulator is calling for all digital entities to be brought under data protection framework. This would include all devices, operating systems, browsers, and applications and would be welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them. This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained. National security and privacy issues are of paramount importance. Accordingly, the regulator by making this recommendation, is ensuring that no exception is made for any service provider, while subjecting them to the rules to meet the national security and privacy norms, i.e. same service same rule should be established for similar service providers. However, this is our preliminary view and we will need to review the other recommendations to determine their implications,” Rajan S Mathews, Director General, COAI, said in a statement.
TRAI’s move comes after nations across the globe are reeling under personal data hacks. The first major wave came after social media behemoth Facebook came under the lens for sharing users’ personal data with UK-based firm Cambridge Analytica. It was later reported that the data was wrongly used to support the election campaign of Donald Trump who was in the fray for the post of the President of the US in 2016.