Indian telecom regulator TRAI has released its recommendations on privacy, security and ownership of the data in the telecom sector on 16 July 2018.
TRAI said all entities in the digital ecosystem, which control or process personal data, should be brought under a data protection framework in order to protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem.
The existing rules / license conditions applicable to TSPs for protection of users’ privacy should be made applicable to all the entities in the digital ecosystem till such time a general data protection law is notified by the Government, TRAI said.
A Reuters report said the recommendations are tough for the industry to implement. The report cited the recent Facebook scandal involving the sharing of information of millions of its customers for revenue growth.
India Government should notify the policy framework for regulation of devices, operating systems, browsers and applications. This means, device makers such as Apple, Samsung, Xiaomi, etc. operating system / browser suppliers like Google, Android, Apple, Microsoft will come under the purview of the new regulation.
The new recommendations will be a big blow for digital communication companies such as Facebook, Amazon, Alphabet-owned Google, Microsoft, among others. Several digital firms rely on consumer data to generate revenues.
The main concern will be on fixing the responsibility on one or two companies for breaching such guidelines. In addition, the TRAI recommendations released on Monday do not frame any penalty on erring companies. This indicates that guidelines alone will not be enough to guide big organizations in India.
“We are happy with the TRAI’s recommendations on Privacy, Security and Ownership of Data as the regulator is calling for all digital entities to be brought under data protection framework,” said Rajan S Mathews, director general of COAI.
TRAI said India’s service providers should build consent mechanism for wireless customers to ensure sufficient choices to the users of digital services.
A framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
Multilingual, easy to understand, unbiased, short templates of agreements / conditions should be made mandatory for all the entities for the benefit of consumers, TRAI said.
TRAI said data controllers should be prohibited from using pre-ticked boxes to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Devices should disclose the terms and conditions of use in advance, before sale of the device. It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides.
Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users.
Department of Telecommunication should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors. To ensure the privacy of users, National Policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government at the earliest.
TRAI said personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorized entities in accordance to consent of the consumer or as per requirement of the law.
All entities including telecom service providers such as Airtel, BSNL, Idea Cellular, Vodafone and Reliance Jio, etc. should disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.