The Telecom Regulatory Authority of India (TRAI) released their Recommendations on Privacy, Security and Ownership of Data (the Recommendations) in context of the telecommunication domain. The Recommendations, besides elaborating on the need and importance of data privacy in telecommunications, have also analysed the telecommunication environment to assess whether the existing data protection framework is sufficient or not.
The present Recommendations specifically are aimed at privacy, security and ownership of data of telecommunication users, while at the same time attempt to strike a balance with respect to use of data for data-based businesses. Although the Department of Telecommunications has indicated that they would not be taking up the Recommendations right now and have referred the Recommendations to the Srikrishna Committee for their consideration. The Srikrishna Committee is entrusted with formulating the data privacy framework for India.
TRAI conceptualizes the telecommunication environment as a digital ecosystem involving multiple entities such as Devices, Telecom Service Providers (TSPs), Communication Networks Browsers, Operating Systems, Applications, Over-the-Top (OTT) service providers, etc. TRAI has provided their recommendations with respect to some of the issues it raised in their Consultation Paper released in August 2017, of which some of the core issues are discussed below:
1. Personal Data and Data Ownership: In their Recommendations, TRAI acknowledges the importance of personal data. The Recommendations do note the absence of any specific legislation on data privacy. The Recommendations, while analysing the definitions provided in the IT Act, note that the definitions of 'data', 'personal information' and 'sensitive personal data or information' provided in the IT Act, are similar to the provisions of the EU General Data Protection Regulations (GDPR). The Recommendations positively acknowledges the consistency between the Indian laws and foreign regulations, and observes that the scope of personal data as defined in the IT Act and the GDPR is fairly broad, and does not require any further changes.
With regards to the ownership, the recommendations clarify that the ownership of such personal data lies with the individuals with whom the data in question relates to. The Recommendations also considers entities processing or controlling such data to be mere custodians, and as such, have no primary rights over such data. This aspect of the Recommendations unanimously holds that ownership of the data lies with the user with whom the data is related with.
2. Sufficiency of existing Data Protection Framework: The Recommendations notes the challenges posed by use of smart mobile devices and advent of newer technologies like Over-the-Top (OTT). Since neither such services, nor such a device is covered any telecommunication license, the obligation which is application to a telecommunication service provider would not be applicable on such entities. To this end, the Recommendations propose that all entities which operate within the telecommunication environment be brought within the purview of the telecommunication regulations, till a specific legislation on data protection is put in place. As a result, TRAI would have authority over all such entities. This aspect of the Recommendations, however, admittedly has not been received favourably. There is nothing in the telecommunication legislation that allows that such power can be granted to TRAI.
3. User Consent: the recommendations also propose that user's explicit consent for their personal data to be used, be obtained prior to the data being used. The Recommendations seeks to provide the users with the right of choice, notice, consent, data portability and the right to be forgotten. The Recommendations proposes consent mechanisms with varying levels of granularity in choices to be provided to the users by the service providers. Such choices are to be explicitly presented to the user before any data is collected. This is likely to provide more control to the user, and permit any user to determine to what extent their personal data may be collected and used.
4. Data Security: Data security is paramount to ensure that the data remains secure and resistant to unwanted intrusions. For data security, the recommendations have suggested that the encryption standards which are present in the telecommunication license agreement entered be re-examined by the Department of Telecommunication.
The Recommendations are clearly steps in the right direction, with India being now seen as a domain where digital rights are taken very seriously. Although, the Recommendations aim to address some issues pertaining to data privacy but does not appear to be very comprehensive.
Furthermore, it also remains to be seen whether bringing other services within the scope of the telecommunication regulations is permissible within the confines of the telecommunication legal framework. For example, it is not clear whether the Telecom Regulatory Authority of India Act, 1997 empowers TRAI to include any entity operating in the telecommunication environment. In absence of such powers, implementation of the present Recommendations will always be open for a legal challenge. Such other services, e.g., OTT, however may appear to be within the scope of 'telecommunication service' as defined by the Telecom Regulatory Authority of India Act, 1997. This interpretation is yet to be confirmed.
(The author is a Partner, Lakshmikumaran, & Sridharan.)