The Telecom Regulatory Authority of India (TRAI) released their Recommendations on Privacy, Security and Ownership of Data (the Recommendations) in context of the telecommunication domain. The Recommendations, besides elaborating on the need and importance of data privacy in telecommunications, have also analyzed the telecommunication environment to assess whether the existing data protection framework is sufficient or not. The Recommendations is in continuation to a consultation paper on "Privacy, Security and Ownership of the Data in the telecom sector" which was published by TRAI on 09 August 2017. The consultation paper had aimed to identify the key issues pertaining to data protection in relation to the delivery of digital services through telecommunication systems. The TRAI, on considering the responses submitted by the stakeholders, have provided these Recommendations.
The present Recommendations specifically are aimed at privacy, security and ownership of data of telecommunication users, while at the same time attempt to strike a balance with respect to use of data for data-based businesses. Although the Department of Telecommunications has indicated that they would not be taking up the Recommendations right now and have referred the Recommendations to the Srikrishna Committee for their consideration. The Srikrishna Committee is entrusted with formulating the data privacy framework for India.
Data protection and telecommunication users
TRAI conceptualizes the telecommunication environment as a digital ecosystem involving multiple entities such as Devices, Telecom Service Providers (TSPs), Communication Networks Browsers, Operating Systems, Applications, Over The Top (OTT) service providers, etc. TRAI states that, in most cases, such entities routinely access, collect and collate data pertaining to the user. Such data could include personal information, in which case, a user’s privacy is likely to be infringed. To this end, TRAI proposes that the manner in which the data is collected and used, should be regulated. Such regulation in data collection and use, should be with the informed and explicit consent of users.
TRAI has provided their recommendations with respect to some of the issues it raised in their Consultation Paper released in August 2017. The recommendations provided by TRAI are aimed at securing the data privacy interests of telecommunication users.
Personal Data and Data Ownership
Despite the absence of any specific legislation on data privacy, some aspects of data privacy are, in fact, present in the Information Technology Act, 2000 (IT Act). The Recommendations, while analysing the definitions provided in the IT Act, note that the definitions of ‘data’ [see End Note 1], ‘personal information’ [see End Note 2] and ‘sensitive personal data or information’ [see End Note 3] provided in the IT Act, are similar to the provisions of the EU General Data Protection Regulations (GDPR). The Recommendations positively acknowledges the consistency between the Indian laws and foreign regulations, and observes that the scope of personal data as defined in the IT Act and the GDPR is fairly broad, and does not require any further changes.
With regards to the ownership, the Recommendations clarifies that the ownership of such personal data lies with the individuals with whom the data in question relates to. The Recommendations also considers entities processing or controlling such data to be mere custodians, and as such, have no primary rights over such data. The scope of the Recommendations is limited to only personal data. Personal data may be considered as any data which may be used for identifying an individual. The Recommendations further clarify that a personal character of data would remain unchanged irrespective of the source it is collected from.
The Recommendations, although aiming to bar the use of personal data in its original form, do propose that standards for anonymization/de-identification be formulated. Data which is anonymized is such that it cannot be used for identification of the individual with whom it relates to. Such anonymized data may be used for data-based businesses without compromising privacy of user data.
Whether the Data Protection Framework is Sufficient
The Recommendations note that the existing framework for protection of personal information or data, is not sufficient. The Recommendations notes the gaps in the IT Act owing to which the protection it affords is not comprehensive. The provisions of the IT Act only seeks to compensate for breaches of ‘sensitive personal data or information’ [see End Note 4] as opposed to personal data, generally. As per the Recommendations, the provisions under the IT Act do not sufficiently address issues pertaining to personal data. TRAI recommends that further stringent measures be put in place to act as deterrent for offenders.
The Recommendations also note the challenges posed by use of smart mobile devices and advent of newer technologies like Over-the-Top (OTT). Mobile devices are prominent actors in any telecommunication service. Services based on OTT allow delivery content over the Internet. Neither of these are covered under the telecommunication license framework to which the telecom service providers adhere to. As a result, such entities and services are not obligated to comply with the telecommunication regulations. The Recommendations propose that till the time specific legislation pertaining to data protection is passed, the obligations under the telecommunication framework applicable are also made applicable to all entities that may operate in the telecommunication environment. To this end, the Recommendations have requested the Government of India to notify policies for regulation of devices, and other entities that operate within the telecommunication environment.
It is further recommended that ‘privacy by design’ model be followed for all entities within the telecommunication environment. To this end, the Recommendations proposes that the reducing reliance on ‘pre-agreed’ consents for use of services. Such ‘pre-agreed’ consent has been observed to be violative of data privacy and security.
More Power to the User
The Recommendations seeks to provide the users with the right of choice, notice, consent, data portability and the right to be forgotten. The Recommendations proposes consent mechanisms with varying levels of granularity in choices to be provided to the users by the service providers. Such choices are to be explicitly presented to the user before any data is collected. The Recommendations proposes that the users be provided with appropriate notices detailing the practises regarding personal information being collected. Examples of such practises include purpose of collection and its intended use, and whether the personal data which is collected will be shared with a third party. Only once the notice has been provided, may the individual consent be obtained.
The Recommendations also proposes to reduce the complexity in the end-user agreements, which as TRAI notes, is fraught with legal jargon, is complex, and is typically one-sided. To that end, the Recommendations propose that any agreement for availing services, or agreements accompanying devices, should be easy to understand, be based on short-templates and should be made for all entities within the telecommunication environment. The Recommendations intends to promote awareness amongst general public about issues pertaining to data privacy through awareness programs as well.
Data security is paramount to ensure that the data remains secure and resistant to unwanted intrusions. For data security, the Recommendations has suggested that the encryption standards which are present in the telecommunication license agreement entered be re-examined by the Department of Telecommunication. The Recommendations proposes various data security measures, such as data encryption for stored as well as transmitted data. The Recommendations also propose to establish a collaborative mechanism where information relating vulnerabilities and threats are shared and exchanged for the collective betterment of the telecommunication industry. Such collaborative practises have been observed to be beneficial in the Open Source industry. The Recommendations also intends to promote and incentivize transparency wherein instances of data breach are reported immediately to the users, along with the mitigation strategy being adopted to minimize the risk that may arise due to the data loss.
The Recommendations have been released just after the Telecom Commission had approved TRAI’s recommendation on Net Neutrality. The Recommendations are clearly steps in the right direction, with India being now seen as a domain where digital rights are taken very seriously. These measures, if adopted by the Government of India, may prove to be an effective tool for ensuring data privacy and security, till the specific legislation on data privacy is introduced.
Although, the Recommendations aim to address some issues pertaining to data privacy but does not appear to be very comprehensive. For example, its proposals regarding simplifying the end-user agreements does not factor licenses between service providers and licensing authority. Such licenses are also complex – simplifying agreements between service providers and users, without addressing probable issues owing to the licenses may not result in achieving the objective of the Recommendations, and may put unnecessary constraints on service providers.
Furthermore, it also remains to be seen whether bringing other services within the scope of the telecommunication regulations is permissible within the confines of the telecommunication legal framework. For example, it is not clear whether the Telecom Regulatory Authority of India Act, 1997 empowers TRAI to include any entity operating in the telecommunication environment. In absence of such powers, implementation of the present Recommendations will always be open for a legal challenge. Such other services, e.g., OTT, however may appear to be within the scope of ‘telecommunication service’ as defined by the Telecom Regulatory Authority of India Act, 1997. This interpretation is yet to be confirmed.
- Section 2(1)(o) of the IT Act
- Rule 2(1)(i) of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- Section 43A of the IT Act