Telecom regulator TRAI on Monday said each user owned his or her data collected by or stored with the entities in the digital ecosystem that includes devices and applications.
The entities, it stressed, are mere custodians of the data, while pointing out that the existing framework for protecting the personal data of telecom users is not sufficient.
‘Right to be forgotten’
In its recommendations on ‘privacy, security and ownership of the data in the telecom sector’, the Telecom Regulatory Authority of India has said the right to choice, consent, data portability, and the right to be forgotten ought to be given to consumers.
Additionally, the regulator has suggested that all entities in the digital ecosystem that control or process users’ personal data such as devices, operating systems, browsers as well as applications, be brought under a data protection framework.
“Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem,” it suggested.
The government has formed a committee, headed by former Supreme Court judge B.N. Srikrishna, under the Ministry and Electronics and IT, which is working on the country’s first data protection framework.
While proposing that a study be undertaken to formulate the standards for anonymisation, or de-identification, of personal data generated and collected in the digital ecosystem, TRAI also said entities should be restrained from using meta-data to identify individual users.
‘No pre-ticked boxes’
Along with running consumer awareness programmes, the regulator has suggested that multilingual, easy to understand, short templates of agreements or terms and conditions be made mandatory. It has also recommended prohibiting use of “preticked boxes” to gain users’ consent.
TRAI suggested that device manufacturers incorporate provisions so that users can delete pre-installed applications if they so decide. “Also, the user should be able to download the certified applications at his/ her own will and the devices should in no manner restrict such actions by the users,” it said.
The regulator has recommended that the personal data of telecom consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. However, it added that “Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law.”
It also suggested that the Department of Telecommunication should re-examine the encryption standards, stipulated in the licence conditions for the TSPs, to align them with the requirements of other sector regulators.
In order to ensure transparency, TRAI has suggested that a common platform be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem, including telecom service providers. “It should be made mandatory … to be a part of this platform.”
“Data security breaches may take place inspite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivized to prevent/ mitigate such occurrences in future,” it said.
Further, to ensure the privacy of users, the regulator said that the National Policy for encryption of personal data, generated and collected in the digital ecosystem, should be notified by the government at the earliest.