No personal data of mobile users should be processed by any person, except for any specific, clear and lawful purpose, said the draft mobile security guidelines (MSG) released by the e-Governance Standards and Guidelines, a project which comes under the Ministry of Electronics and Information Technology.
The draft, overall, covers aspects of mobile security and is aimed at being a single source of future reference for all stakeholders of the mobile services ecosystem in India.
This, along with the draft on Anonymisation of Data guidelines, was released recently for obtaining public comments. A MeitY official said that the deadline for receiving comments is till September 21.
The draft also provides guidelines on how to maintain the privacy of individuals using a mobile phone. Many of the provisions align with the now-withdrawn Personal Data Protection Bill 2019.
“The personal data shall be collected digitally only to the extent that is necessary for the purpose of processing of such personal data,” the guidelines said.
The draft also says that data fiduciaries, which can be any company that collects mobile data, will have to give the mobile user a notice at the time of collection of personal data.
The notice will have to contain information regarding the purposes of the personal data that will be processed, information regarding any cross-border transfer of data and so on.
Apart from that, the draft MSG also categorises the mobile ecosystem based on security standards that are followed.
“All entities of the Mobile Ecosystem, except Mobile User shall be classified under (a) Green Category, if basic security control measures are followed, (b) Orange Category, if basic and foundational security controls are followed and (c) Blue Category, if basic, foundational and advanced security control measures are followed, verified and certified,” the draft recommended.Similarly, mobile users will be classified based on the awareness of mobile security practices under categories such as beginner, normal user and expert.