Podcast | TRAI backs data privacy, says ownership of data lies with consumers

Not too many days after the Telecom Regulatory Authority of India (TRAI) ruled in favor of net neutrality in India, it has come out in favour of data privacy. Earlier today, TRAI announced that companies  collecting user data have no primary rights over such data and emphasised that consumers' consent should be made mandatory.

Adding that the laws in place for the protection of personal data in the telecom space are not sufficient, TRAI said it would like to see consumers being given the "Right to be Forgotten".

TRAI chairman RS Sharma, the man at the centre of the data privacy tussle, said, "Telecom users are real owners of data and rest of players are mere custodians."

TRAI has also recommended regulation of all platforms that deal with consumer data  — meaning devices like iPhones, operating systems such as Android, browsers like Chrome and apps like Facebook, Paytm, Uber or Ola — by including them in licence conditions that apply to telecom service providers until the time a general data protection law is in place.

The regulatory body said issues like data ownership, privacy, and security are complex, multi-dimensional and that individual users owned their data, or personal information.

And the regulator isn't leaving any room for ambivalence here. It said ownership rights of the user over personal data "are supreme" and, importantly, added that securing consent of the individual must be explicit. TRAI insisted that these not be superseded by the rights of data controllers, data processors, or any other such entity in the ecosystem

TRAI's efforts to bring in regulation of more entities including apps goes back to August of last year, if not earlier. The regulator has been working on privacy, security and ownership of data in telecom networks recommendations and suggested that entities should be allowed to gather only the bare minimum data needed for providing a particular service to consumers. The agency believes they should be restrained from using metadata to identify individual users.

"The right to choice, notice, consent, data portability, and right to be forgotten should be conferred upon the telecom consumers," TRAI reiterated, adding. "Granularities in the consent mechanism should be built-in by the service providers."

And it looks like TRAI is serious when it says granularities. It wants to make mandatory short templates of agreements or terms and conditions, what we now refer to as T&C, in multiple languages. It wants such information to be easy to understand and unbiased.

This is what it had to say about everyone's least favourite thing - lengthy EULAs, according to the Times of India: "Many times, end user agreements/terms and conditions that a user  is served at the time of availing any services, procuring any device etc are one-sided, complex, lengthy, full of legal jargon and in a language that a user may not understand. The user has no other choice but to accept them to avail the services of the entity."

A common platform for sharing of information relating to data security breaches by all entities, including telcos, should be created, according to the regulator. And that's not all. It asks that the DoT reexamine encryption standards in licence conditions for telecom companies.

TRAI is also batting for a national policy for encryption of personal data, generated and collected in the digital ecosystem, and notified by the government to ensure privacy of users.

This is important because TRAI is looking at storing in encrypted form in a digital ecosystem the personal data of approximately one billion telecom consumers, if not more.

Now, it must be stated here that the recommendations are not binding in nature but assume importance in view of various cases of data breach. .The most notorious one, of course, was the manipulation of Facebook users’ personal data by Cambridge Analytica. The new recommendations, pending DoT approval, have been shared keeping in mind the government’s ongoing work on its first data protection law.

The proliferation of electronic devices like mobile phones in the country can only mean that massive amounts of data would consist of personal details of individuals - like purchases made, financial transactions, places visited, demography, health statistics, education, work profile to name a few.

Given the ubiquity of such devices, the right to be forgotten has been included under the European Union's General Data Protection Regulation, or GDPR, a prescriptive and compliance-heavy legislation that claims to protect data privacy of EU citizens.

It should come as no surprise then that TRAI, which recently joined forces with BEREC of Europe on the issue of net neutrality, also suggested that users must have the 'right to be forgotten'. This means being able to delete all past data  - photographs, call records, video clippings etc. Mint notes that such a law can be implemented with necessary safeguards, subject to the requirements of law enforcement agencies and licensing conditions.

These observations by TRAI precede the Justice BN Srikrishna committee recommendations on data privacy. While telecom companies are currently covered by data-privacy laws, the same rules do not apply to the fast-growing ecosystem of apps as well as the mobile device makers. The new recommendations can potentially impact the business of companies like Apple, Samsung, Google, Amazon, and, of course, Facebook, besides plenty of online Indian businesses.

In particular, some of the new rules seem to be aimed at Apple, the maker of this thing called the iPhone. The telecom regulator said mobile phones or devices must disclose the terms and conditions of use before sale and has mandated that users can delete pre-installed apps and be able to download certified apps without restrictions.

Some legal counsels feel such specific recommendations affect operating systems such as Apple's iOS, which doesn’t allow users to download any app they wish to. Pranesh Prakash, a lawyer who works with the Centre for Internet and Society, told ET he's "not sure...DoT is the right entity to provide a policy framework, as TRAI puts it, for the regulation of applications, browsers, and operating systems."

Apple and TRAI have been sparring for over a year over the regulator’s demand for access to call logs and text messages required for filing complaints through TRAI's own do-not-disturb (DND) app. And it's easy to see why. Apple's privacy rules that do not allow third-party apps access to calls or messages. On the other hand, TRAI has been pushing Apple to allow the app on its devices, claiming the move is in consumer interest.

Content companies claim, according to a report in the  Economic Times, that they are already covered under the IT Act and should ideally not be equated with telcos because they operate in a different market. Further regulation would only stifle innovation, they claimed. TRAI, however, counters that by observing that "smart devices are increasingly playing a gatekeeping role over the network. They determine how users connect to and experience a network."

So while app makers have usually tended to oppose additional regulation, Paytm's COO Kiran Vasireddy welcomes TRAI's move towards stricter data laws. He told the Economic Times, "Our country is currently undergoing the formulation of a comprehensive data protection and security framework. This will help set an important benchmark. Paytm has always stood up for data localisation and data sovereignty and will continue its efforts in this direction."

The new move to bring app makers under the same regulations is welcomed by telecom providers and internet service providers but content providers have been opposed to being brought under more regulation. Rajesh Chharia  of the Internet Service Providers Association of India said the new recommendations to extend the same rules to entities like browser developers and app developers “will force them to take greater responsibility on this score, which is ultimately good for the consumer”.

Rajan S Mathews, director general of the Cellular Operators Association of India, said, "National security and privacy issues are of paramount importance. Accordingly, the regulator by making this recommendation, is ensuring that no exception is made for any service provider."

TRAI, in its overall recommendations that run into 77 pages, said, "The government should put in place a mechanism for redressal of telecommunication consumers' grievances relating to data ownership, protection, and privacy". It added that "notice, choice, and consent" are the most important rights that need to be given to consumers.