TRAI recommendations bring phone makers under the regulation ambit
In what could be seen as yet another manifestation of the shift to a strong data protection regime, India’s telecom sector regulator, Telecom Regulatory Authority of India (TRAI) released a set of recommendations on privacy, security and data applicable to the broader ecosystem of telecommunications, including phone makers and value-added service providers.
“Each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data,” say the TRAI recommendations unequivocally.
The recommendations are based on extensive consultation the regulator had had with various stakeholders in the telecom value chain, post its release of a consultation paper in August last year.
That is when India’s Supreme Court delivered a historic judgment recognizing right to privacy as a fundamental right. The judgment accelerated the move towards building a strong data protection regime.
The time of the release is interesting, as India’s draft bill for the general data protection regulations, is expected any time now. Much of the recommendations by TRAI would become redundant once the legislation based on this bill comes into force.
While the telecom service providers are already required to comply to some of these provisions, TRAI seeks to extend that to other players in the ecosystem.
“Till such time a general data protection law is notified by the Government, the existing Rules/ License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem,” says the TRAI document.
“For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers and Applications,” the regulator recommends.
The Indian draft Data Protection Bill, which is reportedly ‘almost ready’ has been prepared by a 10-member government appointed committee headed by Justice B N Srikrishna, retired judge of the Supreme Court of India.
The committee had issued a draft white paper for discussion in November last year. Based on the feedback, it has prepared the draft Data Protection Bill. The draft bill was expected to be released in May but has been delayed, reportedly because of some contentious issues relating to Aadhaar, India’s national identity system.
As would be expected, much of the issues touched in the 77-page TRAI document are same or very similar to the issues being addressed by the draft bill.
While much of the TRAI recommendations would be redundant after the Indian Data Protection Bill comes into effect, there are some important sectoral requirements that may not be adequately addressed by it.
For example, the TRAI recommendations urges the government to make it “mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users.” This will significantly hit all device makers, especially the likes of Apple.
The TRAI document also recommends creation of a common platform for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers. It categorically recommends that it “should be made mandatory” for all such entities.
The TRAI recommendations also urge the government to formulate and notify a National Policy for encryption of personal data, generated and collected in the digital eco-system. Encryption has been a matter of intense debate globally, especially in the context of device makers using their own encryption, that sometimes come in the way of law enforcement agencies’ investigations.
Data Controllers (companies controlling user data) should be prohibited from using “pre-ticked boxes” to gain users consent, the recommendations further specify. It is common practice in India by some telcos to make the user sign to value-added services. Once the regulations come into force, it will put a stop to that practice.
Apart from the above discussed points, some of the other major points in the set of recommendations include
- Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities in the digital eco-system for the benefit of consumers.
- A study should be undertaken to formulate the standards for annonymization/ de-identification of personal data generated and collected in the digital eco-system.
- All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users.
- Devices should disclose the terms and conditions of use in advance, before sale of the device.
- The Government should put in place a mechanism for redressal of telecommunication consumers' grievances relating to data ownership, protection, and privacy.
- All entities in the digital ecosystem including Telecom Service Providers should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future