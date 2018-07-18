As a committee of experts led by Justice BN Srikrishna is yet to release its report on data privacy, and possibly a draft law, recommendations on privacy released by the Telecom Regulatory Authority of India (TRAI) acquire significance. While it is difficult to guess whether TRAI’s recommendations will be adopted by the Srikrishna committee, they are an indication of how privacy is being thought about in bureaucratic circles.

Firstly, following the Supreme Court’s judgment affirming that privacy is a fundamental right — an idea which the current government opposed — the TRAI recommendations put the users at the centre of privacy, and give us control over our data; i.e. informational self-determination.

If these recommendations are accepted by the government, users will effectively own their personal data, with primary right over it. This means that apps, websites and services, which collect our data, are going to be treated as mere custodians of the data. This gives users power to know what kind of data is being held by each organisation, what is purposes for which data has been collected, what is it being used for and whether consent from the user was taken or not.

TRAI has sought data minimisation wherein privacy of a user's data should not be compromised by design of the systems that collect it, and they need to minimise data collection — only data necessary to deliver a particular service be collected.

The right to data portability will allow users to transfer their data to other service providers. In addition, TRAI has recommended the right to data deletion, which it has mistakenly conflated with the right to be forgotten. For example, it will allow a user to delete data that a telecom operator has collected.

On expected lines, TRAI has recommended an improvement to consent for data collection. Today when we click “I Agree” when downloading an app, the terms are designed to protect the app, and given all the legalese, end up confusing users. No one reads these terms and conditions. For many new Indian internet users, English is a language that they don’t necessarily understand.

TRAI has recommended that terms and conditions be made available in a multi-lingual format, easy to understand, and in the form of short templates. These terms and conditions will not have pre-ticked boxes. Now these are not ideal solutions: people who want to use an app will still tick a box and click “I Agree”, but this is a part of a process of improving consent. With time, the world will evolve better means of getting meaningful consent.

What’s tricky, though, is how TRAI has expanded the requirement for consent to devices, over which it probably doesn’t have a jurisdiction. Today devices collect data about their usage. The telecom regulator has recommended that devices need to disclose terms and conditions in advance, before purchase of the device. While the move is welcome, it’s a bit odd that TRAI has recommended allowing users to delete pre-installed apps from devices.

TRAI doesn’t have jurisdiction over the internet, so it’s disconcerting to see it try and extend that to devices. In the same manner, it has said that until a data protection framework is in place, the government should notify these rules, which will be applicable to telecom operators, to be made applicable to “all the entities in the digital ecosystem”, including devices, operating systems, browsers and applications.

Two areas where there are important recommendations from the TRAI are encryption and data breaches. On encryption, the TRAI has recommended the creation of a National Policy for Encryption, and that personal data of mobile users should be encrypted during transfer, as well as when it is stored. At this point in time, this is unencrypted and thus susceptible to snooping. All SMS’ and phone calls can be easily tapped using sniffers.

That said, we have to be careful about what the government is doing regarding encryption, because the last policy required that users store copies of their messages in an unencrypted form. On breaches, which are instances of data being hacked or leaked, the TRAI has taken a non-adversarial approach.

One issue that startups worry about is how law enforcement agencies will interact with them, in case they get hacked. The TRAI has suggested the creation of a common platform for sharing of such information, and incentivising the sharing of breach information. The only challenge here is making it mandatory for all entities in the digital space to become a part of this platform: how and why will billions of websites sign up for such a platform, and what will the Government of India do if they don’t?

All in all, the recommendations from the TRAI are measured, even though it has avoided commenting on particularly contentious issues of data localisation, cross-border data flows, lawful interception and mass surveillance from the government, auditing technology businesses for privacy, and legitimate exceptions to privacy.

In a sense, the TRAI has probably made recommendations on issues where there is broader consensus of the way forward. The regulator, in consumer interest, should have thrown its hat in the ring, on issues that there isn’t consensus on.