TRAI, on 16 July, released its Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector, following the Consultation Paper it issued on the subject last August. The new recommendations show a strong pro-privacy stance, with the aim of keeping the user in control of his data. It names the user as the primary holder qua his data.
The privacy recommendations, however, are intended to apply across the digital ecosystem, encompassing a much wider spectrum of entities than are traditionally regulated by TRAI, including browsers, handsets, tablets, OTT services, applications and the like. This aspect may lead to an overlap and perhaps an overreach of TRAI’s jurisdiction.
The recommendations themselves are at present of a temporary nature and intended to be revisited on the enacting of a data protection law in India.
Extending TRAI’s jurisdiction across the ‘digital ecosystem’
Many objections have been raised on TRAI’s attempts at extending its jurisdiction, particularly w.r.t this paper. While TRAI has stated in these Recommendations that it is restricting its jurisdiction to the telecommunication sector and the users in this sector, it is actually proposing to regulate a much broader range of entities.
In what it describes as the ‘digital ecosystem’, TRAI includes the TSPs, personal devices like mobile handsets and tablets, M2M or machine to machine devices, communication networks like base trans-receiver stations, routers, switchers and so on, browsers, operating systems, Over The Top or OTT service providers, applications, etc. Many of the privacy recommendations made by TRAI, though temporary, if enacted will apply across these entities.
Changing technologies justify the extension
TRAI has attempted to justify this extension of its jurisdiction on the basis of the change that advancement in technologies have brought to traditional telecommunication services. While refraining from actively regulating these entities, it discusses the new dangers posed to the privacy of the people via the involvement of multiple actors.
For instance, it refers to the fact that previously, the intelligence resided in the telecommunication networks only, but now this includes the end (smart) devices as well. Data in the telecommunication sector now not only passes through the TSPs, but through all the entities involved in the end devices, such as device manufacturers, browsers, operating systems, applications, etc.. For example, today, user data such as browsing history, call logs, location data, contact details etc. are captured not only by the TSPs, but by these entities as well. Based on this, it argues that now, data needs to be protected not only from harmful external agents but also from misuse by these entities themselves.
Existing Rules/license conditions to be extended across the digital ecosystem
To understand the implications of this extended application, consider the existing rules/ license conditions. Acknowledging the inadequacy of existing data protection norms and the argument between TSPs and Over-The-Top services on the lack of a level playing field between the two, TRAI recommended that data protection norms be made uniform across the digital ecosystem. To achieve this, as an interim measure till the data protection law is enacted, it recommends that the existing rules/ license conditions for the protection of users be made applicable across the entities in the digital ecosystem.
These include, for instance, license terms permitting a maximum of 40-bit encryption, and requiring special permission and a deposit of a key for decryption for encryption that is any higher. Section 5(2) of the Telegraph Act requires that the entities must intercept communications if required by the government to do so. The extension of such rules would mean that the browsers, applications, OTT services, personal devices and so on will all need to comply with these measures.
While TRAI has refrained from otherwise regulating the other entities, it has recommended that the government should notify the policy framework for regulation of Devices, Operating Systems, Browsers and Applications.
User will be primary holder qua his data
In addition to extending these rules, it has recommended many rules to strengthen existing data protection laws until the new law is enacted. Taking a strong pro-privacy stand, it has declared that the user be the primary holder qua his data, and that other controllers be mere custodians of this data. Again, it is to be remembered that these recommendations, if enacted, will have to be followed by all the entities in the digital ecosystem:
Definition of personal data and restriction on the use of metadata: Firstly, TRAI has recommended that the definitions of personal data and sensitive personal data be retained in their present form until the new law is enacted. Mode of capture is to make no difference to the classification of the data. It further proposes a restriction on the use of metadata by digital entities to identify individuals.
Privacy by design and data minimisation: It recommends the embedding and enforcement of the principles at every point of the digital ecosystem through privacy by design. Data minimisation is further to be in place by place every entity.
Explicit Consent and multilingual notices: It further recommends explicit consent for any data collected. Any form of implied consent, including the use of pre-ticked boxes for opt-out consent, is to be forbidden. Notices are to be multilingual and easy to understand. It further takes issue with the translation of consent from one purpose of data use to another. It has thus supported the right to choose, notice and consent, as well as the principles of collection limitation and purpose limitation.
Ability to delete pre-installed applications: TRAI further takes issue with the one-sided agreements that users are subject to, with reference also to the numerous pre-installed devices that are allowed to come in and process data through them. It requires that users have the option to deactivate or delete such applications, and that the functionality of auto-upload by default to such applications is disabled. This is likely to affect business arrangements, particularly of those of handset developers.
Right to be forgotten and right to data portability: TRAI, discussing the inability of users to move their data from one service provider to another, and further their inability to have their data properly erased from a given entity, has required the rights of data portability and the right to be forgotten to be available to all telecommunication users. It has further recommended that the government put in place grievance redressal mechanisms for the users.
Disclosure of breaches: It requires all entities in the digital ecosystem to transparently disclose information on breaches. It recommends the creation of a common platform for sharing of information on vulnerabilities, and that this sharing be encouraged and incentivized.
Encryption: On encryption specifically, it further recommends that encryption standards be made uniform across all entities, unlike current norms (such as SEBI recommending 64/128 for internet trading, RBI’s SSL/128 for internet banking, DoT’s 40 and so on). It also recommends that the government notify a National Policy for encryption of personal data. This encryption, it recommends, must apply to data in motion as well as in storage.
Account Aggregator for the telecom sector
It further recommends that a system similar to Meity's Electronic Consent Framework and the RBI’s Account Aggregator system be put in place for the telecom sector as well. Such an account aggregator can have more far reaching privacy implications than that for the financial sector, given that this could include data from, say, every app on a person’s phone. There are no further details as to what kind of information will be aggregated, or of who could have access to this data.
Data localisation and cross-border flows
On data localisation and cross-border flows, TRAI did not make any specific recommendations at present. It, however, in its discussions, took a similar view to the rumors that surfaced on the Data Protection Law’s stand on data localisation, that cross-border flows are to be allowed, with an exception for highly sensitive data which is to be stored in India. Examples given were of healthcare and finance sectors. This stand was taken in view of the issues created by cross-border flows of data, such as Google’s responses to only 55 percent of requests made for data, and the inadequacy of Mutual Legal Assistance Treaties for such purposes.
Data sandboxes, technology-enabled architecture for audit, left undecided
Several other important issues were discussed but left undecided on account of the upcoming data protection law. This includes the much-discussed data sandboxes, given the need for an enabling data protection framework first. A similar stand was taken on enabling businesses to use data. The technology enabled architecture to audit the use of personal data and monitor the digital ecosystem was also kept on hold, though TRAI suggested a hybrid model combining manual and automated processes for the audit.
TRAI also refrained from issuing recommendations on issues like defining the roles of controllers and processors or prescribing exceptions (such as national security) to the privacy protections.
Need to clarify overlapping jurisdictions
Thus the rules, while extensive in their protection, create a major overlap with the new data protection law. The overlapping laws could, on the one hand, create compliance issues for the entities regulated, as well as the enactment of laws by one regulatory body without a wholesome view of the issue at hand. A similar overlap was also seen in the financial sector, with overlapping privacy rules being issued for mobile wallets, by the RBI on the one hand and the Meity on the other.
These recommendations thus do bring certain issues to the fore, in particular of the tremendous changes brought about by technology, and the challenge to the traditional roles of bodies like TRAI. This is an issue that needs to be addressed fast, in order to ensure a better division of powers in the age of technology, as well as more clarity for the entities under regulation.
TRAI’s pro-privacy stand is very welcome
Given that TRAI’s recommendations at present are temporary, and several issues have been left to be decided later, the full picture of TRAI’s stand on privacy will come out only after the data protection law is enacted. Then, TRAI’s stand on data analytics, data sandboxes, and the like will be known. In the meantime, given issues like Aadhaar on the one hand, and the Social Media Communications Hub on the other, to have a governmental body taking a strong pro-privacy stand is extremely welcome.
The author is a lawyer and author specializes in technology, privacy and cyber laws. She is also a certified information privacy professional.