By Prarthana Mitra
In a bid to contain the fallout of the Aadhaar fiasco, the Telecom Regulatory Authority of India (TRAI) on Monday announced that users own their data, and all other digital entities that store, harvest or process user information are “mere custodians.”
The crucial announcement was followed by suggestions, coming right before a committee led by Justice BN Srikrishna is set to address data protection across all sectors, and when privacy and safety of user data, especially through mobile apps and social media platforms is causing widespread alarm.
Here are the potentially ground-breaking suggestions TRAI made
Addressing the need for stricter privacy laws to replace the current norms cited under the IT Act, TRAI noted that the “right to choice, notice, consent, data portability and be forgotten” should be extended to telecommunication users. Once implemented, this would imply that browsers, mobile applications, smart devices, operating systems and telecom service providers among others, will not be able to share personal data with third parties without users’ consent.
3 yrs on @TRAI recommndatins r finally out! Creats legal rights 4 consumers n obligatns on Cos.
— Chowkidar Rajeev Chandrasekhar 🇮🇳 (@rajeev_mp) July 17, 2018
In light of the alarming trends in the digital ecosystem today, TRAI wants to limit personal data collection when applications don’t even require that information. The regulating body shared the example of an application that activates the flashlight as a torch on your mobile phone, saying that it seeks permission to access the camera, microphone, and contact list for no reason.
“It has also been reported that the applications may deploy a waterfall model of consent wherein once an entity is given consent by the user for a particular application or service, the entity translates the consent to many other entities on its own without obtaining explicit consent or knowledge of the user which is a serious breach of users’ personal data, choice, and consent,” TRAI said.
#Exclusive | Level of encryption varies from agency to agency in our country. Not saying we want the same encryption standard throughout the industry; it should be proportional to the privacy one wants to achieve: @TRAI Chairman @rssharma3@ChandraRSrikant pic.twitter.com/SnyCfboL4P
— ET NOW (@ETNOWlive) July 17, 2018
In what could be a historic move, TRAI has recommended that all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.
According to Business Standard, TRAI has also proposed several measures to prevent third parties from controlling, processing or using your meta-data to identify individual users, like prohibiting developers from providing “pre-ticked boxes” on the app consent form.
“To ensure the privacy of users, national policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest,” the regulator said. TRAI has further suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
Reaction and roadmap
Apar Gupta, a New Delhi-based lawyer, said TRAI had approached data protection from a point of ownership and not that of privacy being a human right even though the Supreme Court had reiterated that point last year.
Telecom industry body COAI reacted warmly to TRAI’s recommendations. In a press statement, they said, “We are happy as the regulator is calling for all digital entities to be brought under data protection framework…the regulator, by making the recommendation, is ensuring that no exception is made for any service provider, while subjecting them to the rules to meet the national security and privacy norms.”
In its recommendations on privacy, security and ownership of data in the telecom sector, TRAI further noted, “Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to service providers for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications.”
Why would any want to hack CIDR when you can write some malware and collect biometrics while the transactions are occurring. Clearly government can't say #Aadhaar is end to end encrypted https://t.co/MdM29bMiKC
— Srinivas Kodali (@digitaldutta) July 16, 2018
Last year, the privacy provisions in the Aadhaar Act came under fire for being painfully insufficient. While biometric data is protected, information like medical histories and mobile numbers were not which only points to the need for a robust mechanism to protect the privacy of such huge databases.
Prarthana Mitra is a staff writer at Qrius.