The Telecom Regulatory Authority of India (TRAI) today issued various recommendations on security and ownership of and rights over telecom data. Recommending data privacy rules, the regulator said that the existing norms were not adequate to protect consumers. TRAI said companies that collect and process user data have no right over it. It said the entities controlling and processing user data are mere custodians. This is as per a news report by the Economic Times.
It said companies should disclose breaches of user data. It said companies should not use meta data to identify users. TRAI said the government must bring all entities that control or process personal data under data protection framework. The government must notify policy framework to regulate devices, operating systems, browsers and applications, it recommended. It said a study needed to be done to formulate standards for annonymisation/de-identification of data.
The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.
A large amount of user data is generated in telecom space through devices and SIM. There have been deep concerns about its use by companies.
In August 2017, the telecom regulator has come out with a consultation paper on ‘privacy, security and ownership of data in the telecom sector’ and sought comments from stakeholders initially by September 8, 2017 and later extended the deadline twice and fixed November 6, for comments and November 21 2017 for counter comments. TRAI chairman RS Sharma had been saying that the regulator was preparing a framework on the data ownership, privacy and security, and would soon release it.
TRAI recommended that a common platform should be created for sharing information regarding data breaches. Should be mandatory for all players in digital ecosystem to be made part of this platform.
It said all entities should disclose information about privacy breaches on their websites and also inform about actions on mitigation and preventing future breaches.
In other recommendations, TRAI said Department for Telecom should re-examine encryption standards stipulated in license conditions for telecom and internet service providers. It asked for prohibiting data controllers from using pre-ticked boxes to gain user consent. It said terms and conditions should be short, multilingual and easy to understand. Devices must disclose terms and conditions of use in advance, before sale of the device, it said.