The regulator recommended a common platform that aggregates all data security breaches by all entities in the digital ecosystem. It also recommended introduction of consumer awareness programmes.
The Telecom Regulatory Authority of India (Trai) Monday recommended that current privacy rules applicable to telecom service providers should also apply to “all entities in the digital ecosystem” until the upcoming general data protection law is enacted.
The regulator stated that the existing data protection regulation inadequately regulates government use of data, and insufficiently protects personal information on the basis of consent, privacy, access, and correction.
The report said: “The need for a more symmetric, all encompassing … data protection framework for all the players in the digital ecosystem is therefore urgent and inescapable … (T)he data protection framework should be equally applicable to both government as well as private entities.”
A person with knowledge of the drafting process told The Indian Express that this paper can be seen as an input to the Ministry of Electronics and Information Technology (MEITY) committee slated to release a draft data protection law in the near future.
Entities, as per the report, include telecom service providers (TSPs); devices such as mobile handsets, tablets, and computers; browsers; operating systems; communication networks; machine to machine (M2M) devices; over the top (OTT) service providers; and applications.
The report stated that data subjects should own their own data, leaving controllers and processors of that data as mere “custodians (with no) primary rights over this data.” Users should retain rights of choice (to opt-out), notice (information about data collection purposes and distribution), consent, data portability (transfer of data between services), as well as the right to be forgotten (the deletion of information about one’s self).
In an Idea Exchange interaction earlier this year, Trai chairman R S Sharma had said: “For me, data privacy means that a person has control over his or her own data … I think if we can be clear on the concept of ‘ownership’ and be clear about the privacy and security standards of data, we will sort out the problems.” Data controllers and processors should restrain from using meta-data (higher-level information about data) to identify users, allow users to delete pre-installed applications, apply “privacy by design,” minimise data collection, and not use “pre-ticked” consent boxes, according to the report.
On the topic of data localisation, Trai stated that the government should transfer data only to countries which have Mutual Legal Assistance Treaties (MLAT) agreements with India and in which there are adequate privacy and security regulations.
The government should also distinguish critical and sensitive data (related to national security and healthcare respectively) that should be stored in data servers in India on a case by case basis, Trai stated. “Instead of restricting cross border data flow, the government should regulate it.”
Trai also proposed developing India’s data analytics sector to promote local data processing.
The report also refered to MEITY’s Electronic Consent Framework, which involves a data sharing architecture called “Data Empowerment Protection Architecture.” The report recommends developing a similar architecture for the telecom sector.
For audit mechanisms, the report suggests a hybrid human and technology approach, as seen in the European Union’s General Data Protection Regulation, but did not make further specific audit recommendations.
The regulator recommended a common platform that aggregates all data security breaches by all entities in the digital ecosystem. It also recommended introduction of consumer awareness programmes.
The report recommended keeping present definitions of “personal data” — as delineated in the “Sensitive Personal Data and Information” (SPDI) Rules of 2011 — because they align with international norms.