People should have rights over their data, firms mere custodians: Trai

Consumers should be given the right to choice, consent and to be forgotten to safeguard their privacy, telecom regulator Trai said in its recommendations on various aspects related to data.

Consumers are owners of their data and entities controlling or processing their information are mere custodians and do not have primary rights over this data, Telecom Regulatory Authority of India (Trai) recommended on Monday while saying the current rules for protection of personal data in telecom space are not sufficient.

DNA Money on July 10 had reported that Trai is likely to say that customer is the king of his own data and will have all rights on his/her data and data use should be limited to purpose.

Trai said data controllers should be prohibited from using pre-ticked boxes to gain users consent. And there should be clauses for data collection and purpose limitation should be incorporated in the agreements. Also, it should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed application if they decide to do so.

"The right to choice, notice, consent, data portability and right to be forgotten should be conferred upon the telecommunication consumers," the regulator said in its recommendations on privacy, security and ownership of data in telecom networks.

The recommendations have come at a time when the issues of data privacy and data protection are in the limelight following the leakage of Facebook data by Cambridge Analytica. A committee headed former Supreme Court judge B N Srikrishna, under Ministry of IT and Electronics, is preparing a draft of country's first data protection framework.

The recommendations say that to protect telecom consumers against the misuse of their personal data by broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data, should be brought under a data protection framework.

Besides, a study should be undertaken to formulate the standard for de-identification of personal data generated and collected in the digital ecosystem. All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data (a set of data that describes and gives information about other data) to identify the individual users.

To ensure privacy, national policy for encryption of personal data, generated and collected in digital ecosystem, should be notified by government at the earliest. In August last year, Trai had come out with a consultation paper on this issue.

A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers.

Trai's views might be taken as inputs to the Srikrishna committee's report. The committee was constituted last year and had come out with a white paper seeking stakeholders views.

The whole issue of data privacy and protection again came to the limelight with recent leak of the Facebook users' data including in India. The UK-based Cambridge Analytica has been accused of misusing data of millions of Facebook users to profile and influence voting behaviour.

According to the Trai's consultation paper, about 90% of the data in the world today has been created in the last two years alone with new data being added to this pool at the rate of approximately 2.5 quintillion bytes of data every day. Trai had said while recognising the vast business and efficiency potential of data analytics, it is also vital to assess whether the data protection rights of individuals are being adequately protected in this changing environment.

Trai suggested that all entities in the digital ecosystem that control or process users' personal data such as devices, operating systems, browsers as well as applications be brought under a data protection framework. "Till such time a general data protection law is notified by the government, the existing rules/license conditions applicable to TSPs (telecom service providers) for protection of users' privacy be made applicable to all the entities in the digital ecosystem," Trai said.

Mahesh Uppal, a telecom analyst, said Trai has oversimplified a complex subject. "Trai has made well-meaning recommendations but has proposed something problematic. Equating a telecom service provider with an OTT player is untenable. Given the wide number and range of players in the ecosystem, Trai recommendations seem unenforceable. There is limited international experience to fall back on. In my view, these are premature regulations since we still await the results of the wider-ranging government committee dealing with this issue."

Cellular Operators Association of India director general Rajan Mathews expressed satisfaction with the Trai's recommendations. "All digital entities would include all devices, operating systems, browsers, and applications and would be welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them. This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained. The regulator by making this recommendation is ensuring that no exception is made for any service provider while subjecting them to the rules to meet the national security and privacy norms, i.e, same service same rule should be established for similar service providers. However, this is our preliminary view and we will need to review the other recommendations to determine their implications."

CUSTOMER IS KING

Consumers are owners of their data and entities controlling or processing their information are mere custodians