Trai calls for safeguarding consumer data with telecom firms

The Telecom Regulatory Authority of India (Trai) said on Monday that consumers of telecom services have full ownership of their data and have the right to choose and give consent and that telecom companies currently controlling and processing such data are mere custodians and do not have primary rights over it.

In its recommendations to the Department of Telecommunications, Trai said the existing framework for the protection of consumer data is insufficient and suggested that “all entities in the digital ecosystem which control or process personal data of users should be brought under a data protection framework”.
Trai’s recommendations on 'Privacy, Security and Ownership of Data in the Telecom Sector’, submitted on Monday, emphasises on the consumers’ basic right to choose, notice, give consent, port data, as also the right to be forgotten.
In order to ensure sufficient choices to the users of digital services, Trai said, granularities in the consent mechanism should be built-in by the service providers.
For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
The 'Right to Data Portability’ and 'Right to be Forgotten’ are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard, Trai said.
Multilingual, easy to understand, unbiased, short templates of agreements / terms and conditions should be made mandatory for all the entities in the digital eco-system for the benefit of consumers.
Besides, Trai said, consumer awareness programmes should be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data.
Data controllers should be prohibited from using "preticked boxes" to gain user consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Devices should disclose the terms and conditions of use in advance, before sale of the device.
It should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed applications if he / she so decides. Also, the user should be able to download the certified applications at his / her own will and the devices should in no manner restrict such actions by the users.
Trai has asked the Department of Telecommunication to re-examine the encryption standards, stipulated in the licence conditions for the TSPs, to align them with the requirements of other sector regulators.
In order to ensure the privacy of users, Trai said a National Policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest.
For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem.
Decryption should be permitted only on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law.
All entities in the digital ecosystem, including telecom service providers, should be encouraged to share the information relating to vulnerabilities, threats etc in the digital ecosystem/networks to mitigate the losses and prevent recurrence of such events.
All entities in the digital ecosystem, including telecom service providers, should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem, including telecom service providers. It should be made mandatory for all entities in the digital ecosystem, including all such service providers, to be a part of this platform.
As data security breaches may take place inspite of adoption of best practices, Trai said necessary measures should be taken by data controllers and processors. For this, the sharing of information concerning data security breaches should be encouraged and incentivised.
Trai had, on 9 August 2017, issued a consultation paper on `Privacy, Security and Ownership of Data in the Telecom Sector’ with the following objectives:
  • To identify the scope and definition of personal data, ownership and Control of data of users of telecom services;
  • Understand and identify the rights and responsibilities of data controllers;
  • Assess the adequacy and efficiency of data protection measures currently in place in the telecom sector; and
  • Identify the key issues pertaining to data protection in relation to the delivery of digital services. (which includes the provision of telecom and internet services by telecom and internet service providers (TSPs) as well the other devices, networks and applications that connect with users through the services offered by TSPs and collect and control user data in that process).
The new guidelines have been formulated on the basis of comments and counter-comments on the recommendations received from the stakeholders along with the additional inputs received during open house discussion.