Last week, the Department of Telecom gave the nod to net neutrality regulations, ensuring that there would be no discrimination of data at a time when the US is moving in the opposite direction. The net neutrality norms were based on the recommendations from the Telecom Regulatory Authority of India (TRAI) – which the BBC in November described as the world’s strongest – but the regulator isn’t celebrating right now – it’s moved on to another equally important topic – privacy and data protection.
On Monday, TRAI announced its recommendations on privacy, security, and ownership of data in the telecom sector, and the 77 page document serves as the first major public guidelines on privacy and data protection in India.
TRAI has outlined a consent based framework, where users have to clearly choose what data is being used, which bears some similarities to Europes GDPR. TRAI noted that while the right to privacy should not be treated solely as a property right, it must be noted that the controllers of personal data are mere custodians without any primary right over the same. In other words, your data should belong to you, and not to Google, or Facebook, or any other company which holds your data.
“The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers,” TRAI recommended
In section 2.3, it also notes that meta-data is personal information and as such should be given the same protections. This is an important point given that even metadata can be used to track and identify people accurately. It also noted that there needs to be a right to be forgotten, and once you stop using a service it should not store your data beyond what’s mandated by the law, according to section 2.46. Section 2.49 also allows users the right to withdraw consent, which means that even if people have given consent to gathering your data, users will be able to stop tracking on demand.
At the same time, TRAI also noted the stop-gap nature of its recommendations, and said, “till such time a general data protection law is notified by the government, the existing Rules/ License conditions applicable to the Telecom Service Providers for protection of users should be made applicable to all the entities in the digital eco-system.”
Good, with some caveats
Early reactions to the recommendations are largely positive. On Twitter, lawyer Apar Gupta, who is one of the founding members of the Internet Freedom Foundation shared some quick thoughts about the recommendations. Describing this as a substantive document he called it “partly positive since it calls for interim safeguards”, but added that the “form of some seems problematic.”
On the plus side, he noted that many of the protections in the recommendations “focus on a user rights model, which includes notice, choice, consent, portability, deletion and erasure.” He also praised the recommendations for not taking a view on data localisation, and that the protections need to apply to private as well as state entities.
However, he criticized the fact that TRAI is planning to impose license conditions on all OTT providers – that is to say, all third party services. He also noted that the recommendations did not directly address state surveillance. He also pointed out that an Electronic Consent Framework as described in the recommendations may “centralise consent requests thereby may end up generating more personal data and unifying them into a single portal managed by the govt/regulators.”
“We are happy with the TRAI’s recommendations on Privacy, Security and Ownership of Data as the regulator is calling for all digital entities to be brought under data protection framework. This would include all devices, operating systems, browsers, and applications and would be welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them,” said Rajan Matthews, DG Cellular Operators Association of India.
“This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained. National security and privacy issues are of paramount importance. Accordingly, the regulator by making this recommendation, is ensuring that no exception is made for any service provider, while subjecting them to the rules to meet the national security and privacy norms. However, this is our preliminary view and we will need to review the other recommendations to determine their implications.”
Speaking in a television interview, Pranesh Prakash, Policy Director at the Centre for Internet and Society, said he’s still processing the document, but “on the face of it it seems good.”
“There are still certain concerns I have which haven’t been addressed. The telecom licenses themselves, which are issued by the Government of India, require a whole lot of data to be collected, metadata to be collected, by telecom companies. So I’m not sure how that requirement by the Government of India squares off with what is now being recommended by TRAI.”
“Let me also point out that one of the things that TRAI says, and it might be exceeding its brief a little bit, is that it says this should not only cover telecom operators, but also device manufacturers, operating systems, application creators, and other kinds of software. What TRAI seems to want to do is actually quite a bit more than what I think the DoT has, or really ought to be doing. I really don’t understand whether this will find any favour in the interim before the government decides to take up the Justice Srikrishna Committee report.”
Justice Srikrishna committee report still due
Although TRAI’s recommendations are an important document, and will serve as stopgap privacy rules, India is also on the verge of a data protection and privacy bill, which will be based on the recommendations of the Justice BN Srikrishna committee on the subject. The committee was formed in August and was expected to deliver its report in June, but sources say that disagreements over the Aadhaar have caused some delays.
The committee is expected to send its recommendations to the government soon, at which point things could change, but for now, TRAI’s recommendations are an important development as India moves to secure the privacy of its people.
Ahead of that though, you can read the full TRAI recommendations here.