Bengaluru/New Delhi: The recommendations on data privacy by India’s telecom regulator are progressive and promote data privacy of users but are unlikely to have an impact on privacy regulation, experts said.
On Monday, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information and severely restricting the ways in which telecom and internet companies can use customer data. Trai’s other suggestions include giving users the so-called right to be forgotten.
However, the timing of Trai’s recommendations has puzzled experts, who expressed doubt that these proposals will have any impact on the Srikrishna committee that was formed by the government last July in order to suggest principles for data protection and suggest a draft data protection bill.
The 10-member panel headed by former Supreme Court justice B.N. Srikrishna was expected to submit its report in May. But last month, information technology minister Ravi Shankar Prasad said that the committee was still working on the report. (In 2011, India had formed a committee under justice A.P. Shah to suggest a privacy law but its proposals were not enacted.)
“In several of its recommendations on data privacy, Trai appears to have gone beyond the telecom sector and made wider recommendations so they may at best act as mere recommendations to the government when it finalises a data protection law based on the Srikrishna committee report,” said Kartik Maheshwari, leader at law firm Nishith Desai Associates. “This committee has been working on its report for a year and may be already ready with its recommendations. Therefore, it’s unlikely that Trai’s recommendations will have any significant impact on the report at such a late stage,” Maheshwari said.
Moreover, most of Trai’s recommendations from Monday were already covered by a white paper that was drafted by the Srikrishna committee last November. That white paper extensively covered Trai recommendations on ownership of data, data controllers, data minimization and portability, among others.
“Most of the points intended to be covered by these recommendations were included as questions in the white paper that was drafted by Srikrishna last year so it doesn’t cover much new ground,” Maheshwari said.
It is not entirely clear why Trai released the recommendations now, said Rahul Matthan, partner at law firm Trilegal. “The justice Srikrishna report is due any time now and the Trai recommendations will have to conform to it. That said, the recommendations are important because they are an indicator of how the government is thinking about privacy. And it’s encouraging to note that the recommendations are progressive, pro-user and pro-privacy. They are very much on the lines of modern privacy laws around the world,” Matthan said.
Matthan was referring to Europe’s recently-enacted data privacy regulation, the General Data Protection Regulation (GDPR), which puts the toughest restrictions till date on how companies can use customer data. The new regulations will force companies to disclose what data they have on users, making it difficult for internet companies to sell user data, among other measures.
Given that Trai’s recommendations track GDPR in several aspects, it’s not surprising that a lobby of internet companies criticised the proposals, which it said are not suitable for “data-driven businesses, which the app economy represents”.
“If the same rules are applied, then there is a possibility that India will never be able to build data businesses,” the Internet and Mobile Association of India (IAMAI) said in a statement.
Trai’s recommendations have largely been framed for old businesses like Mobile VAS, which are no longer relevant today, added Nilotpal Chakravarti, associate vice-president at IAMAI.