Taking a leaf out of the General Data Protection Regulation (GDPR) rulebook drawn up by the European Union, the telecom regulator on Monday proposed strong data protection laws aimed at ensuring that Indian telecom users have the right to their own digital data.
If the recommendations are accepted by the Centre, digital service providers such as Google and Facebook, application developers like WhatsApp, government entities like UIDAI, device-makers such as Xiaomi along with telecom operators will have to make sure that users’ data can be collected only with their explicit consent.
Once collected, the user data can be used only for the limited purpose of providing the service for which the user has signed up.
The proposed rules also have provisions for revoking the consent at a later date. A user will also have the right to be forgotten, which means that the service provider will be mandated to erase all personal data related to that consumer.
“The Authority is of the view that the individual must be the primary right holder qua his/ her data. While the right to privacy should not be treated solely as a property right, it must be recognised that controllers of personal data are mere custodians without any primary rights over the same,” the TRAI said while issuing its recommendations.
The regulator has also questioned the practice of pre-loaded applications on mobile phone and application developers seeking unnecessary permissions from users as a pre-condition.
For example, an application that activates a flashlight as a torch on a mobile device may seek permission for access to the camera, the microphone, and the contact list. The flashlight application simply creates a logical circuit between the battery and the camera flashlight, and does not require access to the camera, the microphone or the contact list for its operation.
“After obtaining explicit consent of the user, only bare minimum data, which is essential for provisioning of a particular service, should be collected. Collection of unrelated or unnecessary data by service providers in the digital ecosystem must be barred,” the regulator said, adding that all entities in the digital ecosystem, which control or process the data, should be restrained from identifying the individual users.
Pushing for the ‘Privacy by design’ principle, the TRAI said a framework, on the basis of the electronic consent framework developed by Ministry of Electronics and IT (MeitY) and the master direction for data fiduciary (account aggregator) issued by the Reserve Bank of India, should be notified for the telecommunication sector also. The rules proposed by the TRAI come at a time when questions have been raised on the lack of data protection for Indian users of digital services.
It has been found through recent data breaches on platforms like Facebook that the user is forced to part with his personal data with very little information about the scenarios/ uses that his personal data would be put to. “He has no facilities to access, view, amend, or delete his data submitted. In case of any data breach, he may not even be informed about it till it gets reported,” TRAI said.
While the US and Europe have enacted robust data protection laws, Indian policymakers have so far moved slow on this aspect. A white paper on data protection across all sectors by a high-level government committee headed by Justice BN Srikrishna was released in November 2017, but there has been no significant movement towards bringing in a comprehensive policy.
In this context, the rules proposed by TRAI are significant, although they are limited only to telecom-related services.