Towards digital security

Trai's guidelines are just what the doctor ordered

The Telecom Regulatory Authority of India's (Trai’s) recommendations on data ownership, privacy and purpose limitation have clearly been inspired by the European Union’s General Data Protection Regulation (GDPR). The ‘Right to be forgotten’ is being introduced as a concept for the first time in India as is the idea of 'privacy by design', along with granular end-user license agreements. For that matter, the basic unequivocal statement that data belongs to the individual who created it, with digital businesses being mere custodians, goes a step ahead than any previous statement by an Indian regulator. As working principles for crafting a framework for data protection and privacy, these guidelines appear unexceptionable. However, the release of these recommendations will cause confusion in the legislative domain. This is because the suggestions are not binding on the Department of Telecommunications, or private players in the digital and telecom services spaces. Also, a committee chaired by Justice Srikrishna is already looking at framing an overarching privacy legislation. The Srikrishna committee's recommendations are expected soon and in case of a conflict between the suggested legislation and the Trai's recommendations, the committee’s approach would obviously take precedence. 

However, viewed as a set of non-binding principles, the Trai guidelines are important because they do offer a comprehensive framework for the future of digital data protection. There are important commercial implications because most apps are not compliant with these recommendations and the new concept of ‘privacy by design’ would affect the way future apps are designed. The regulator’s s concerns are understandable. There are over a billion users of the Indian telecom networks. The telecom service providers carry out stringent KYC checks, collecting significant amount of personal information. There is location data generated about all mobile subscribers, 24x7. An increasing number of subscribers is using smartphones to surf the web, carry out financial transactions, as well as social media interactions and to avail web-driven instant messaging services, besides consuming news and entertainment. In addition, a large number of users are linked to their respective Aadhaar accounts, which means that digital information could leak from all sorts of sensitive areas, including health records, children's birth and school records, among others.

Plus, there’s meta-data — that is the data generated about data which allows artificial intelligence (AI)-driven programs to guess with a high degree of accuracy what somebody is doing by looking at their actions online. The simplest examples involve analysis of phone calls and text messages. Going further, if a user searches for medical clinics, sets up an appointment and pays for a test online, it is possible to guess what the medical issue may be. The Trai wishes to secure the data and metadata generated by users by a combination of methods. The user should be transparently informed if there is a breach of privacy. End-user licence agreements (EULA) should be written in simple language and data collection must be for specific purposes. If required, there should be multiple EULAs within the same app, for specific purposes.

The user should also have the right to delete pre-installed apps and demand the deletion of any data held by a digital service provider. Meta-data usage should either be banned, or stringently controlled for specific purposes. Apps should be designed keeping these concepts in minds, offering privacy by design. Service providers should be held accountable even for unintentional harm. If these recommendations are accepted within the relatively narrow ambit of Trai’s domain, and if the Srikrishna Committee makes broader recommendations on the same lines, India's digital space should become a lot more secure.