TRAI pushes for data protection

India’s telecom regulator, TRAI, has recommended stricter rules for data protection to the Department of Telecom.  TRAI said that the existing framework for protection of personal data by companies and service is insufficient. 

Background

The Telecom Regulatory Authority of India (TRAI) was established with effect from 20th February 1997 by the TRAI Act of 1997. TRAI was constituted to regulate telecom services, including fixation/revision of tariffs for telecom services which were earlier vested in the Central Government. TRAI's mission is to create and nurture conditions for growth of telecommunications in the country in a manner and at a pace which will enable India to play a leading role in emerging global information society.

One of the main objectives of TRAI is to provide a fair and transparent policy environment which promotes a level playing field and facilitates fair competition. The TRAI Act was amended by an ordinance, effective from 24 January 2000, establishing a Telecommunications Dispute Settlement and an Appellate Tribunal (TDSAT) to take over the adjudicatory and disputes functions from TRAI.

India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future. However, section 69 of the IT act empowers the government to intercept, monitor or decrypt any information including information of personal nature in any computer resource.

Recently, TRAI threatened Apple Inc. with legal action over the development of a government anti-spam mobile application. The application seemed to compromise user privacy by giving access to customers’ call and text logs.

Analysis

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," TRAI recommended to the Department of Telecom, which drafts final policy on this matter. “In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers”, the regulator added.

The Telecom Regulatory Authority of India (TRAI) also said entities controlling and processing user data do not have primary rights over that data. The recommendation comes in the aftermath of the data breach controversy by Facebook Inc., which saw millions of users’ data improperly accessed by political consultancy firm Cambridge Analytica, to support Donald Trump’s 2016 election campaign.

TRAI, in its 77 page recommendations, said: "The Government should put in place a mechanism for redressal of telecommunication consumers' grievances relating to data ownership, protection, and privacy." “All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users.” It has also favoured that entities getting control of data in any form should not be allowed to use "pre-ticked" boxes to gain users consent.

Recommending a study to formulate standards for de-identification of personal data generated in the digital ecosystem, TRAI has asked the government for a policy framework on regulation of devices, operating systems, browsers, and applications among other things.

This is first time the 'Right to be Forgotten' has been given weightage by an Indian authority. It empowers users to delete past data that he may feel is unimportant or detrimental to his present position. Past data could be in terms of photographs, call records, video clippings and so on which could potentially harm the reputation of the consumer. However, the right to data portability and right to be forgotten are restricted rights and are subject to applicable laws in this regard.

TRAI Chairman R. S. Sharma said that the regulator will share its recommendations as inputs with the Justice BN Srikrishna Committee. The committee is working on a detailed data protection framework for the country. The recommendation noted that till such time as the government puts a general data protection law in place, the existing rules and license conditions will be applicable to all the entities in the digital ecosystem.

Assessment

Our assessment is that TRAI’s recommendations present a comprehensive case for data protection as they deal  with data privacy in the context of devices, operating systems, browsers and applications. We believe that TRAI’s bold recommendations will have a positive reflection in the data protection framework of India. We feel that by reinforcing that consumers own their data, TRAI has made their position clear on the data privacy controversies taking place in the world.