Users generate a large amount of data during their regular interactions with information technology and telecommunications services. Internet service providers, application developers, operating systems of smartphones and content providers all log various user activities on their services.
This data is analysed to improve the service for the end users, but also used in ways that are advantageous to the service providers. The Government can also use some of this information to guide policies, formulate ways in which the services can be improved, and prevent crime.
The Telecom Regulatory Authority of India (TRAI) wants to ensure that the users have complete transparency and control over what kind of usage is being tracked, how the data is stored, and sharing of the collected information with third parties. TRAI has floated a consultation paper in this regard, and the scope is limited to informational privacy. The TRAI consultation is in parallel to efforts by the government to formulate comprehensive data protection laws for the country. The purpose of the consultation is to asses if individual users are sufficiently protected in an ever-changing information technology environment.
The intervention from the authorities is to address three aspects that can be harmful to the users. The companies that provide the services know more about what data they are collecting, and how it is being used, than the users themselves. This is known as information asymmetry. The second problem is that while consenting to let a company track their data, the users may not be aware of the long term consequences of providing this consent, this is known as bounded rationality. Finally, there is data monopoly, large organisations that collect vast amounts of data may use it to extend their monopolies. The Government wants to take steps to allow this data to be portable, with the consent of the users.
To encourage the creation of new services, and extend all the benefits that information technologies offer to users, the regulators have two broad approaches when it comes to data. The first is to enable porting of data, so that all the user data collected from one service can be shared with another. The second is to create anonymised public data sets that can be used as a testbed by emerging service providers.
TRAI has raised twelve specific questions, but stakeholders can provide any additional comments on issues related to data privacy in telecommunication services, that have not been raised by the consultation.
The authorities want to know if the current data protection requirements are sufficient to protect the informational privacy of users of telecommunication services and if additional measures need to be put into place. There is a question of if a user’s permission is required for using the collected data for commercial purposes, and the kind of capabilities that should be available to the end user to control how their data is being used.
Then there is the question of the rights and responsibilities of those who have the data, and if their rights should supercede that of the users. For example, users may not want the service providers to record what kind of content they access on mobile internet connections, but this information can be used by the service providers to give all the users a better service.
TRAI also wants feedback on potentially implementing an architecture that keeps track of the personal data collected, as well as the permissions by the users given on how it can be used. The steps needed to encourage new businesses based on data, the creation of an anonymised data sandbox for developing new services, and the technologies needed to monitor the systems for compliance with the data protection regulations are other issues under consultation.
Then there is the question of the safety and security of the entire telecommunication infrastructure, as well as digital ecosystems. TRAI is asking for feedback from the industry on any additional steps needed to secure the entire network.
Another question is the specific allowances for what kind of data can be collected and stored by the various kinds of service providers such as content providers, device manufacturers, and developers of applications, web browsers and operating systems.
One issue that could be touchy is greater parity in data protection norms between telecom service providers and applications that provide similar services through the internet. The industry has been demanding for same rules for the same services in many consultation papers. The telecom service providers feel that it is unfair that while rules are enforced on them for providing voice and message communication services over telecom networks, the same rules are not applicable to VOIP services and instant messaging applications.
Then there is the matter of exceptions to any data protection regulations that may come into place, in the context of lawful interception of the data for surveillance purposes, and in the interest of preventing crime. This could put the service providers in a tight position if strong encryption and data protection is necessary, but the private communications could be made available to the law enforcement authorities on demand. A requirement for enabling lawful interception can result in less secure communications between users. The final question touches upon measures needed to address cross border flow of data and “jurisdictional challenges in the digital ecosystem”.
The consultation paper seeks inputs from stakeholders for formulating a comprehensive data protection regime for users in India. There are a number of specific issues on which TRAI has asked for feedback. The last date for submission of comments are on 8 September 2017, with counter comments to be submitted by 22 September. These deadlines may be extended if the stakeholders demand it, and if TRAI is convinced that more time is needed for the responses and counter comments. The full text of the consultation paper is available on the TRAI website.
Updated Date: Aug 10, 2017 11:40 AM