New Delhi: Entities that control or process personal information and data are mere custodians and do not have primary rights over it, India’s telecom regulator said, suggesting that users be given the right to choose the information they want to share and be forgotten if they so desire.
The existing framework for protection of personal data of telecom consumers is not sufficient and hence all entities that process personal user data should be brought under a data protection framework, the Telecom Regulatory Authority of India (Trai) said in recommendations made public on Monday.
Trai’s suggestions assume significance as a huge chunk of user data is being generated on smartphones. Telecom operators, who control the networks on which information flows, have the ability to analyse the contents. Data collated by mobile applications over a period of time can be used to profile people, which poses a risk to data privacy.
These recommendations will also act as crucial inputs to the justice B.N. Srikrishna committee, set up by the government in July last year. The panel has been tasked with identifying overall data protection issues in India and recommending ways to address them.
“Trai’s suggestions are broadly general. The Srikrishna committee report is awaited for further clarity on how the overall data protection framework will be enacted. However, Trai’s suggestions may have also tied the hands of the committee in case it wanted to take a contradictory position," said Suneeth Katarki, partner, IndusLaw.
User-generated data is integral to the business models of major communication and social media networks as it makes them valuable to advertisers, who in turn use this to help companies target goods and services at consumers.
In August 2017, Trai had published a consultation paper to identify the scope and definition of personal data and ownership, and control of user data by telecom service providers. Trai’s most recent suggestions, which are only meant for operators and telecom subscribers, also say that the present definition of personal information and data should be continued till the enactment of a specific data protection law.
“User should be able to selectively give his/her consent for each purpose separately rather than a blanket consent for all conditions," Trai has suggested. “The service provider should not deny all the services to user on the pretext that the user has not given blanket consent for all conditions. Any form of implied consent by the service should also not be permitted." Data controllers should also be prohibited from using ‘preticked boxes’ to gain user consent, said the regulator.
As far as ‘terms and conditions’ are concerned, these agreements and notices should be provided in an easy-to-understand, short, multi-lingual format, Trai said.
The regulator has also suggested that the user should have the ‘right to be forgotten’, i.e. be able to delete past data such as photographs, call records and video clippings. This, however, should be implemented with necessary safeguards, subject to the requirements of law enforcement agencies and licensing conditions.
The right to be forgotten has also been included under the European Union’s General Data Protection Regulation, a clear, prescriptive and compliance-heavy piece of legislation enacted to protect data privacy of EU citizens.
Moreover, to ensure the privacy of users, a national policy for encryption of personal data should be notified by the government at the earliest, Trai said.
“We are happy with Trai’s recommendations as the regulator is calling for all digital entities to be brought under data protection framework. This would include all devices, operating systems, browsers and applications and would be welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them," said Rajan S. Mathews, director general, Cellular Operators Association of India.
“However, this is our preliminary view and we will need to review the other recommendations to determine their implications," Mathews said.