In 2018, data privacy has become the most used/abused term across the globe. In India too, there have been continuous developments, recommendations, rules, laws and controversies surrounding data privacy and security.
In the latest development, Trai (Telecom Regulatory Authority of India) released its recommendations on the subject entitled ‘Privacy, Security and Ownership of Data in the Telecom Sector’, which are applicable for apps, browsers, operating systems, and handset makers.
The telecom regulator has said that since all user data passes through telecoms and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities.
The recommendations will put the device manufacturers, browsers, operating systems, and applications in a prime position to collect and process the personal information of users, said Trai.
Further, in its recommendations, Trai said that individual users own their data or personal information and devices were “mere custodians” and do not have primary rights over that information.
It also said that the current framework for the protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.
Srikrishna Committee Is Bringing A Data Protection Act, So Why Regulations?
The industry stakeholders have raised concerns over the timing and jurisdiction of Trai with these recommendations.
It is to be noted that the government-appointed Justice BN Srikrishna committee is in the final stages of drafting the data protection law.
An official of the Ministry of Electronics and Information Technology said that the Data Protection Act will “prevail” over everything else.
“Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for Trai as the sectoral regulator but the basics of privacy will be governed by the data protection Act,” the official added.
The official also added that Trai saying that their recommendations will be applicable till the data protection law comes into force “doesn’t make sense since it won’t have a legal mandate”.
In its statement, the Internet and Mobile Association of India (IAMAI) called Trai’s assertion that the existing framework is not sufficient to protect telecom consumers “contradictory”.
“Trai recommendations on privacy are premised on a voice and SMS regime. It is not meant for data-driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give call detail records. Incidentally, the Srikrishna committee under the Ministry of Electronics and Information Technology, which is the nodal body for apps as well as for handset manufacturers, is deeply looking into this issue of consent, which is a fair thing to do.”
At the same time, the Indian Cellular Association (ICA), which represents most of India’s top handset makers, said that the telecom watchdog has absolutely no powers to begin regulating on issues of privacy and ownership of data, leave alone having jurisdiction over devices, operating systems, browsers and applications.
“The industry rejects Trai’s attempts to expand its powers and usurp government’s jurisdiction.”
It added that Trai “jumped the gun” by seeking to regulate the digital ecosystem without waiting for the data protection law under consideration by the Srikrishna committee.
Further, handset makers such as Intex and Karbonn have said that they should be kept out of the ambit of the proposed regulations because they don’t use customer data or monetise from it, which is mostly what apps do.
The companies believe that any additional pressure on indirect costs will lead to wafer-thin margins getting eroded further and consumers will have to bear the brunt, as it will lead to increase in prices of mobile phones.
To counter these questions, Trai Chairman RS Sharma said that it has the jurisdiction to protect consumer interest in the sector, and those who feed off the industry — content providers, apps, browsers, operating systems and devices — need to be accountable as far as data protection is concerned.
He added that there is a regulatory imbalance because entities such as devices, operating systems, browsers and apps are not following any law. “So, the government can come up with a broad framework but till that time let the telecom rules apply on them too,” Sharma added.
Amid the debate, Trai’s recommendations have been sent to the Department of Telecommunications (DoT), which has to take a final call on whether they will be adopted.
[The development was reported by ET.]