The Telecom Regulatory Authority of India (Trai) on Wednesday floated a consultation paper seeking views on privacy, security and ownership of data in the telecom sector, which would also look at user data held by smartphone manufacturers from those using such devices. This comes at a time when the Trai is embroiled in a row with a major smartphone manufacturer over the latter not allowing a do not disturb app by the regulator to gain access the user data. In the paper, Trai has noted that while it recognises the “vast business and efficiency potential” of data analytics, it was also necessary to assess whether the data protection rights of individuals are being adequately protected. As a result, it added, it was vital that ownership rights, authority to use, transact and delete personal data were ascertained.
The consultation paper cites privacy principles such as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles were a part of the recommendations made in a report on data privacy submitted to the erstwhile Planning Commission in 2012 by a Group of Experts headed by Justice AP Shah.
“The principles referred to above could be regarded as a starting point for examining the soundness of the current framework governing the protection of user data across various stakeholders in the digital ecosystem. At the same time it is also important to consider the additional challenges that arise in the context of ‘big data’, which is commonly characterised by features such as the high variety, velocity, volume of the data under consideration,” the consultation paper said.
Through the paper, Trai has pointed towards having a mechanism for regulating and governing data controllers, and has sought views on issues such as rights and responsibilities of data controllers and whether the rights of a data controller could supersede those of an individual over his/her data. According to paper, a data controller refers to any organisation “that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them”.
Furthermore, the paper has also sought views on having a technology-enabled architecture to audit the use of personal data, and the consent associated with it. “Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?” Trai asked.
Even as Trai’s consultation paper would look at privacy and security of data only in the context of the telecom sector, a broader project to deliberate on data protection laws is being worked on by a Committee of Experts headed by Justice BN Srikrishna, which was constituted by the Ministry of Electronics and Information Technology on July 31.