Even though many of the entities covered under the latest recommendations on data protection and privacy issued by the Telecom Regulatory Authority of India (Trai) on Monday are outside the regulator’s purview, it has suggested the government ways to monitor and ensure data privacy. Explaining the rationale behind this, Trai chairman RS Sharma said in an interview with PRANAV MUKUL that this was done because the applications, smartphones, browsers and other players in the ecosystem were faucets to the telecom pipe that accesses the internet. He also spoke about the need for these recommendations given that the Justice BN Srikrishna committee was already looking into data protection issues. Edited excerpts:
How much of what has been recommended by Trai, is really in its jurisdiction?
It’s not a question of jurisdiction. Jurisdiction doesn’t mean that I confine myself. Telecom sector is our jurisdiction. I’m not saying that I must confine my recommendations which we regulate, that’s not the issue. The issue is that we are confining our recommendations only to the telecom sector. The telecom sector begins with the telecom pipes (or telecom service providers). Yesterday, these pipes were only talking to each other. Today, they are necessary to reach the internet, to reach the cloud, to download data and therefore the scope of these pipes has increased. Therefore the new players in this ecosystem are the devices. Without a smartphone you cannot access the telecom pipe. If the smartphones were simply storing the data in the device itself, it wasn’t a problem but they are radiating the data into their own cloud and are using it. The operating systems are using that data to conduct analytics. So we are certainly concerned about anybody putting a telecom user’s data to use or misuse. For traditional telecom pipes, there are laws – there’s the Information Technology Act, 2000, there are licensing conditions for telecom companies — there’s a robust framework. It may have deficiencies but there is a framework. The same job the other stakeholders are also doing — devices, applications, browsers — but there is no framework for them. Till such time a general law related to data protection emerges, these players also follow the same rules which telecom service providers are following.
There is a committee under Justice Srikrishna looking at recommending a data protection framework. Don’t recommendations preempt the committee’s final views?
The Justice Srikrishna Committee and this consultation paper were issued simultaneously. Essentially, during the process we realised that there are a number of issues, if the general data protection law comes in the country, it will take care of it because they are not issues that are specific to the telecom sector. So we have limited our recommendations to only telecom sector despite analysing issues that are beyond that. For example, we have analysed the issue about rights and responsibilities of data controllers. But we have not given recommendations on it and simply said that the Justice Srikrishna Committee is working on it. However, if there is any special treatment required after the general data protection law comes in for the telecom sector, the TRAI can certainly look into that and issue further recommendations.
What are those areas that you decided to eschew from your recommendations?
Technological audit of personal data use, measures to create data-based business, data sand-boxing, legitimate exceptions to privacy regulations and cross-border data-flow. These are the areas where we have said that we are not going to give any recommendations. However, we have provided our inputs and done our analysis.
The Reserve Bank of India, also a regulator, did take a call to restrict data storage of financial services providers within the borders of India. Why couldn’t Trai do the same?
RBI has the power to do it, we do not. We think that this is something that the general data protection law and we must not try to address it before the law is in place.
What is the overall premise behind TRAI getting into a domain that goes beyond the telecom sector?
Ownership is the concept of the physical world. Ownership brings about exclusivity. The problem in the digital world is that the data is infinitely divisible. So data can reside at multiple places without loss of quality. What we are saying is that the original guy who produces that data or whose activities produce that data must have the primary control of that data. The others are only custodians. That’s the whole premise of these recommendations. We have made the recommendations that these are the issues in the telecom space because we don’t have the authority to make laws and regulations, we can’t, sort of, do anything. We have suggested to the government that what should be done in the interim, till the law comes in to place, what should be done in the longer run. We have also recommended that there should be a platform where people share best practices about what to do about data breaches.