In a move with far-reaching ramifications, the Telecom Regulatory Authority of India (Trai) on Monday said users owned their data, while entities in the digital ecosystem storing or processing such data were mere custodians. The authority said it was limiting its recommendations to telecom service providers (TSPs) as the larger issues on data protection for all sectors would be addressed by the committee headed by Justice B N Srikrishna.
The recommendations have come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.
These recommendations, when accepted by the government, will mean that entities like browsers, mobile applications, devices, operating systems and service providers, among others, will not be able to share personal data with third parties without getting the consent of customers. The current rules regarding data protection under the IT Act are not sufficient. A Trai official said the licence conditions applicable to telecom service providers did not allow sharing call detail records with third parties but there are no such rules for digital entities.
The right to choice, notice, consent, data portability and be forgotten should be conferred upon the telecommunication consumers, according to Trai. It has also been proposed that privacy by design principle coupled with data minimisation should be made applicable to all the entities in the digital ecosystem.
The right to be forgotten empowers users to delete past data that they may feel is unimportant or detrimental to their present position.
Past data could be in terms of photographs, call records, video clippings and so on.
The regulator, though, has added a rider that the right to data portability and right to be forgotten are restricted rights, and the same should be subject to applicable laws in this regard.
Reacting to Trai’s recommendations, telecom industry body COAI said, “We are happy as the regulator is calling for all digital entities to be brought under data protection framework…the regulator, by making the recommendation, is ensuring that no exception is made for any service provider, while subjecting them to the rules to meet the national security and privacy norms.”
In its recommendations on privacy, security and ownership of data in the telecom sector, the Trai said: “Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to service providers for protection of users' privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications.”
Trai said it has been noted that entities in the digital ecosystem collect personal data of the users even when such data may not be required for the functioning of such application or device. Sharing an example, the regulator said for using an application that activates flashlight as a torch on a mobile device, the application seeks permission for access to camera, microphone, and contact list, etc, which is not required.
“It has also been reported that the applications may deploy a waterfall model of consent wherein once an entity is given consent by the user for a particular application or service, the entity translates the consent to many other entities on its own without obtaining explicit consent or knowledge of the user which is a serious breach of users’ personal data, choice, and consent,” Trai said.
Proposing various measures for data protection, Trai said all entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, Trai has recommended that all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
“Right now these are just recommendations and in which form these will translate into law, we don't know,’’ said Amber Sinha, senior programme manager, Centre for Internet and Society. Ideally, there should be an omnibus data protection law, he said. “It's a good thing that they are starting to develop views on it but it's essential that within the government bodies there should be consensus on principles, so that there are no major conflicts.”
Trai has recommended that data controllers should be prohibited from using “preticked boxes” to gain users’ consent and devices should disclose the terms and conditions of use in advance, before sale of the device.
The regulator proposed that in order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built in by the service providers. Commenting on the proposals, Apar Gupta, a New Delhi-based lawyer, said Trai had approached data protection from a point of ownership and not that of privacy being a human right even though the Supreme Court had reiterated that point last year. “The problem is that there are more government controls and checks and balances on people's rights in the data-ownership model. These regulations will constitute all parts of transmission data through electronic mode,’’ Gupta said.
Trai has recommended making it mandatory for the devices to incorporate provisions so that users can delete pre-installed applications if they want to.
“To ensure the privacy of users, national policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest,” the regulator said.
Trai has suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
- Existing norms “not sufficient” to protect consumers
- Entities processing user data mere custodians sans primary rights
- Firms should disclose data breaches in public
- Firms should list actions taken for mitigation, preventing breaches
- Consumers should be given right of consent, right to be forgotten
- Study should be undertaken to formulate the standards for de-identification of personal data
- Data of consumers should be encrypted during storage
- Mandatory provisions should be incorporated in devices so that users can delete pre-installed applications
- Terms and conditions of data use should be disclosed before the sale of a device
- Data controllers should be prohibited from using preticked boxes to gain user’s consent