Telecom Regulatory Authority of India (“TRAI”) has on Monday released a set of recommendations in the domain of regarding privacy, security, and ownership of data in the telecom sector. TRAI has suo-moto released a consultation paper on ‘Privacy, Security and Ownership of the Data in the Telecom Sector’ on August 09, 2017 for public comments with an aim to define scope of data privacy, security, ownership of data in the telecom sector. After due consultations with stakeholders, the telecom regulator has released final recommendations on July 16, 2018.
You may also like Data Security Regime in India: IT Act and SPDI Rules
I. Key recommendations:
(a) Personal data:
(i) The definitions of ‘Data’, as provided under the Information Technology Act, 2000 (“IT Act”), and ‘Personal Information’ and ‘Sensitive Personal Data and Information’ as provided under Sensitive Personal Data and Information Rules, 2011 (“IT Rules”), are adequate in the present scenario.
(ii) Each user is the owner of his / her data. Entities controlling and processing such data, are mere custodians and do not have primary rights over this data.
(iii) Restrain all entities from using metadata to identify individual users.
(iv) A study should be undertaken to formulate the standards for anonymization / de-identification of personal data generated and collected in the digital eco-system.
(b) Data protection framework:
(i) The existing rules / license conditions for Telecom Service Providers (“TSPs”) shall be made applicable to all entities in the digital ecosystem until such time a general data protection law is enacted.
(ii) Privacy by design principle shall be made applicable to all the entities in the digital ecosystem.
(c) User empowerment:
(i) Multilingual, easy to understand, unbiased, short templates of agreements / terms and conditions will be made mandatory for all the entities in the digital ecosystem for the benefit of consumers.
(ii) Data controllers should be prohibited from using ‘pre-ticked boxes’ to gain users consent.
(iii) It should be made mandatory for devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if the user so decides.
(iv) The user should be able to download the certified applications at their own will and the devices in no manner will restrict such actions by the users.
(v) Devices should disclose the terms and conditions of use in advance, before sale of the device.
(d) Data privacy and security of telecom networks:
(i) TSPs are required to encrypt personal data during transmission, as well as, storage in the digital ecosystem. Only authorized entities will permit the decryption of data by TSPs on case by case basis after consent of the consumer or as per requirement of applicable law.
(ii) All entities in the digital ecosystem including TSPs should transparently disclose and share the information about the privacy breaches, vulnerabilities on their websites, along with the actions taken for mitigation, and preventing such breaches in future.
(iii) To harmonize encryption standards across sectors, the Government should notify a ‘National Policy for Encryption’ of personal data generated and collected in the digital ecosystem.
II. Binding nature of TRAI recommendations:
(a) No, as of date, these recommendations are not binding on the service providers. These recommendations issued under Section 11 of TRAI Act, 1997 must be accepted by the Telecom Commission and be notified by Department of Telecom (“DoT”) in order to be implemented. It is at the discretion of the Telecom Commission and / or DoT to accept or reject these recommendations.
III. Issues not dealt in the TRAI Data Privacy recommendations:
(a) While the consultation paper included topics like data localization and cross-border data flows, lawful interception, rights and responsibilities of data controllers and the suggested mechanism to regulate the data controllers, the regulator citing the committee formed under Justice B. N. Srikrishna has avoided issuing any recommendations on these topics.
IV. Impact of these Data Privacy recommendations, if implemented:
(a) The recommendations if enacted impacts device makers such as Apple, Asus, Lenovo and operating systems such as Android, iOS and browsers like Mozilla Firefox and apps such as Facebook, Hotstar, Ola or Netflix by bringing them under unified license conditions that currently apply to telecom service providers till a concrete data protection law is enacted.
(c) Section 43-A of the IT Act and IT Rules are applicable only to ‘body corporates’ which thereby limit the application of privacy regulations on Government departments, and other entities like trusts, societies. These recommendations aim to broaden the scope of privacy regulations. All entities dealing with data will be mandated to implement the concept of privacy by design. Standards of encryption of data by TSPs will have to be upgraded.
V. Likelihood of these recommendations being accepted and implemented by DoT:
(a) Majority of these recommendations are temporary in nature until the time a new data protection law is enacted. Few recommendations dealing with internet, applications and device manufacturers are outside the ambit of regulatory powers of TRAI and actually fall under Ministry of Electronics and Information Technology, the regulatory department for internet, applications as well as for device manufacturers.
(b) TRAI’s recommendations on issues, which fall clearly within the domain of the internet, are not even capable of being implemented by DoT, even if they are accepted by them.
(c) Given that expert committee headed by Justice B. N. Srikrishna is working on drafting a data protection bill and most of the recommendations being temporary in nature, in all likelihood these recommendations may never see the light and become binding.
[Update 1: Expert committee headed by Justice B. N. Srikrishna has on July 27, 2018 released the Data Protection Bill, 2018 and a report titled, “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”. ]