TRAI issues guidelines to fortify privacy and data protection in India

The Telecom Regulatory Authority of India (TRAI) has come out with a set of recommendations regarding ‘Privacy, Security and Ownership of Data in the Telecom Sector’. 

The eco-system used for delivery of digital services consists of multiple entities like Telecom Service Providers (TSPs), Personal Devices (Mobile Handsets, Tablets, Personal Computers, etc.), M2M (Machine to Machine) Devices, Communication Networks (consisting of Base Trans Receiver Stations, Routers, Switches, etc.), Browsers, Operating Systems, Over The Top (OTT) service providers, Applications, etc. 

TRAI observed that as the economy increasingly moves to the digital/ online world, it is all the more important that users are appropriately protected from all entities in the ecosystem that may seek to take advantage of their gate-keeping power. A failure to adequately protect users from the very real possibility of harm (caused by the loss of privacy) may result in restricting the growth of the entire digital economy which include telecommunication services also. 

The recommendations made by TRAI are as follows: 

• Each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.
• A study should be undertaken to formulate the standards for annonymisation/ de-identification of personal data generated and collected in the digital eco-system.
• All entities in the digital ecosystem, which control or process the data, should be restrained from using Meta-data to identify the individual users.
• The existing framework for protection of the personal information/ data of telecom consumers is not sufficient. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
• Till such time a general data protection law is notified by the Government, the existing Rules/ license conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers, and Applications.
• Privacy by design principle coupled with data minimization should be made applicable to all the entities in the digital ecosystem viz., Service providers, Devices, Browsers, Operating Systems, Applications, etc.
• The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.
• In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers.
• For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
• The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard.
• Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital eco-system for the benefit of consumers.
• Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data.
• Data Controllers should be prohibited from using ‘pre-ticked boxes’ to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
• Devices should disclose the terms and conditions of use in advance, before sale of the device.
• It should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed applications if he/ she so decides. Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users.
• Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sector regulators.
• To ensure the privacy of users. National Policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government at the earliest.
• For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law.
• All entities in the digital ecosystem including Telecom Service Providers should be encouraged to share the information relating to vulnerabilities, threats, etc., in the digital ecosystem/ networks to mitigate the losses and prevent recurrence of such events.
• All entities in the digital ecosystem, including Telecom Service Providers, should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
• A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem, including Telecom service providers. It should be made mandatory for all entities in the digital ecosystem including all such service providers to be a part of this platform.
• Data security breaches may take place in-spite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/ mitigate such occurrences in future.