TRAI recommends that current privacy rules applying to telecom service providers should also apply to “all entities in the digital ecosystem” until the upcoming general data protection law is notified. Data subjects should own their own data, leaving the controllers and processors of that data as mere “custodians [with no] primary rights over this data,” according to recommendations released by the regulator today. Data users should retain the rights of choice, notice, consent, data portability, as well as the right to be forgotten.
Their data should remain encrypted as it moves through the system and as it is stored. “Decryption should be permitted on a need basis by authorized entities in accordance to consent of the consumer or as per requirement of the law,” the report states. In addition, the Authority recommended further study into standards for anonymisation of personal data and consumer awareness programs.
Data controllers and processors should restrain from using meta-data to identify users, should allow users to delete pre-installed applications, should apply “privacy by design” and data minimization, and should be prohibited from using “pre-ticked” consent boxes. The regulator recommends a common platform that aggregates all data security breaches by all entities in the digital ecosystem, including telecom service providers. All entities should transparently disclose information about privacy breaches.
“For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.”
In August of last year, the regulator floated a consultation paper on “Privacy, Security and Ownership of the Data in the Telecom Sector” that identified key data protection issues in telecom and Internet service, including the definition of personal data, the rights of users (known as data subjects), the rights and responsibilities of entities that determine the purposes and processing of the user data (known as data controllers), and enforcement mechanisms.
In an Idea Exchanges interaction, TRAI Chairman R S Sharma said, “For me, data privacy means that a person has control over his or her own data … I think if we can be clear on the concept of ‘ownership’ and be clear about the privacy and security standards of data, we will sort out the problems.”
The TRAI consultation questions focused on notice, consent, collection and purpose limitation, access and correction, information disclosure, security, openness, and accountability. The topics are drawn from a set of recommendations by former Delhi High Court Chief Justice A. P. Shah submitted to the Planning Commission in October 2012.
For roughly a month, 53 stakeholders — civil society organizations, industry associations, and telecom service providers — submitted their comments and counter comments, which were made public on the TRAI website. The regulator also conducted an open house discussion in February amongst stakeholders. A person will close knowledge of the drafting process told the Indian Express that this TRAI paper can be seen as an input to the Ministry of Electronics and Information Technology (MEITY) committee led by Justice BN Srikrishna to draft a data protection law, slated to come out in the near future.