MUMBAI: The Telecom Regulatory Authority of India (TRAI) has come out with its recommendations on ‘Privacy, security and ownership of data in the telecom sector’.
It says that since digital ecosystems that collect user data are just custodians and don’t have privacy rights over it, TRAI recommends that a study should be undertaken to formulate the standards for annonymisation/ de-identification of personal data generated and collected in the digital ecosystem.
All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify individual users. The existing framework for protection of the personal information/ data of telecom consumers is not sufficient. Therefore, to protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
Till a government notified law is passed, the existing rules/ licence conditions applicable to TSPs for protection of users' privacy should be made applicable to all the entities in the digital ecosystem.
Consumers should be given the right to choice, notice, consent, data portability, and right to be forgotten. The right to data portability and right to be forgotten being restricted rights should be subjected to applicable restrictions.
Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions should be made mandatory for all the entities in the digital eco-system for the benefit of consumers. Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data.
Data controllers should be prohibited from using ‘pre-ticked boxes’ to gain users’ consent. Clauses for data collection and purpose limitation should be incorporated in the agreements. Devices should disclose the terms and conditions of use in advance, before sale of the device. It should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed applications if he/she so decides. Also, the user should be able to download the certified applications at his own will and the devices should in no manner restrict such actions by the users.
To ensure the privacy of users, National Policy for encryption of personal data, generated and collected in the digital ecosystem, should be notified by the government at the earliest. For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law.
A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem including all such service providers to be a part of this platform. Data security breaches may take place in-spite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/ mitigate such occurrences in future.