Consumer data is sacrosanct. Telecom regulator Trai has expressed this view while recommending that right to choice, notice, consent, data portability and the right to be forgotten should be conferred upon telecommunication consumers.
The regulator said that in order to ensure the privacy of users, a national policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest.
“To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data, should be brought under a data protection framework,” Trai said. Till the law is evolved, licensing conditions of the telecom service providers should be applied to them to enforce privacy safeguard.
Trai said each user owns his/her personal information/data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data. A study should be undertaken to formulate the standards for anonymisation/de-identification of personal data generated and collected in the digital eco-system. All entities in the digital ecosystem, which control or process the data, should be restrained from using Meta-data to identify individual users.
Pavan Duggal, a cyber security expert and a senior lawyer in the Supreme Court, said: “The recommendations represent a landmark step forward in empowering consumers recognising their data ownership rights and protecting their privacy.
“The recommendations have broken new ground in recommending the right to be forgotten be incorporated as part of its proposed data protection framework in India. If these recommendations are accepted, they will usher in a new era of respect for netizens’ data related rights as well as their privacy,” Duggal said.
“The recommendations on data protection is much along the European Union General Data Protection Regulation (EU GDPR) that came in to effect from May. By conferring the ownership of data to the consumers, Trai has enforced the responsibility and liability of the telecom and internet service providers on protecting the privacy of the consumers. A landmark recommendation, hoping to be enacted soon,” said V Sridhar, a data security expert who works at IIIT (Bangalore).
Trai’s concerns are rooted in the recent and ongoing debate of misuse of personal data by universal biometric identification agency Aadhaar. Facebook allegedly misused users data for political and social profiling. Telecom companies are using their data of their own customers to sell allied businesses like insurance, opening bank accounts by them or their partners. These issues have created turmoil in the system and the policy makers have been called upon to check the spillage of personal information.
The Telecom Regulatory Authority of India (Trai) has suggested that to ensure privacy of telecom consumers, personal data should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law.
Telecom operators are happy with the recommendations as they included the Skype, WhatsApp also into the framework.
Telecom analyst Mahesh Uppal of ComFirst said these recommendations will be difficult to enforce and are confusing. “The recommendations are well meaning but very difficult and almost impossible to enforce. It is trying to treat telcos and OTTs (Over The Top) players in the same way which could be of problem as they belong to different layers of the network. The number of players in the whole digital ecosystem is huge and the people who deal with personal data are in hundreds. And how you regulate them is very complex.”
“And the fact that they are premature with the government is already engaged on the subject based on the Sri Krishna Committee. Some of it would be overlapping with each other. It becomes complicated with two separate government agencies dealing with the same issue in their own way and it is not clear how they will be reconciled and if the Trai report will influence the Sri Krishna report which is overdue. From a public policy perspective it is very confusing,” Uppal added.
“The government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership, protection and privacy,” Trai said.
(With inputs from Mini Tejaswi in Bangalore)