The Telecom Regulatory Authority of India (TRAI) Monday released a set of recommendations regarding privacy, security, and ownership of data in the telecom sector — the first data privacy blueprint by a statutory body. Although not binding, the recommendations can be seen as inputs to the draft data protection Bill that is likely to be released soon by a Ministry of Electronics and Technology committee led by retired Supreme Court Justice B N Srikrishna.
Four key takeaways
The report lays the foundation for individual ownership of data, making data collectors and data processors “mere custodians” of data who are subject to regulations. TRAI favours keeping the existing definition of personal data under the Sensitive Personal Data and Information (SPDI) Rules, 2011, as information that identifies an individual, whether directly, indirectly, or in combination with other information available to the entity. Data collectors often give personal data to data processors, which glean further information from them. The report says both collectors and processors should be accountable for “unintended harm” caused to the user.
Two, the data protection framework should apply equally to the government and to private entities, says the report.
Three, it suggests that existing privacy laws that apply to telecom service providers (TSPs) should also apply to “all entities in the digital ecosystem”. TSPs are the infrastructural pipes through which information travels. The other digital entities, TRAI states, include devices (mobiles and computers), browsers, software operating systems, applications, and over-the-top (OTT) service providers (that distribute media streamed over the Internet).
Four, an overarching theme is that “inadequate” data protection allows digital ecosystem entities an advantage in the use of the data, as compared to the user. According to law firm TRA, 62% of respondents to TRAI argued that current data protection norms should be revisited. All civil society organisations were in this category, while industry associations and TSPs were split.
TRAI has pushed for the individual’s right to know what data will be collected, how it will be used, who it will be given to, and whether or not a breach has occurred. The individual should have the right to choose whether or not to agree to these terms via her consent to “end user agreements” that are easy to understand, multilingual, and short. She should have the option to choose the specific terms she consents to; she should be allowed to delete pre-installed applications; have the right of data portability; and the right to be forgotten, so that her information is removed from search engine results.
On controllers, processors
They should not use meta-data (higher-level information about data) to identify users, and should not use pre-ticked consent boxes. They should build products with privacy in mind, also known as “privacy by design”. TRAI has suggested that entities collect the bare minimum data needed to provide the service, which is known as “data minimisation”.
What TRAI didn’t say
The report addressed three areas where privacy exceptions could potentially be legitimate — law enforcement, research, and quality of services — but did not make any specific exception recommendations.
Two, the report included advantages and disadvantages to data localisation — a much-debated topic regarding storage of data within national borders or a less-restrictive cross-border data flow. Most of the respondents to the TRAI consultation paper did not take a clear stand on this issue.
Three, the report suggested a hybrid human and technology approach to audit compliance with the data protection law, as seen in the EU’s GDPR, but did not make further specific audit recommendations.
Finally, the report said data sandboxes — testing environments that anonymises data to experiment for new products — could be “dangerous” because of re-identification, but did not make concrete recommendations.