The Authority had issued a Consultation Paper on "Privacy, Security and Ownership of Data in the Telecom Sector" on 9th August, 2017. Comments and counter-comments received from the stakeholder were published on TRAI's website. An Open House Discussion was also conducted in New Delhi on 01.02.2018.
TRAI said rules for protection of personal data in the telecom space are not sufficient and suggested that consumers be given the right to choice, consent and to be forgotten to safeguard their privacy.
TRAI held that consumers are owners of their data and that entities controlling, processing their information are "mere custodians and do not have primary rights over this data".
TRAI recommended to the Department of Telecom: "The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers."
In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers, the regulator added.
TRAI has suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.
A study should be undertaken to formulate the standards for anonymization/de-identification of personal data generated and collected in the digital eco-system.
Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.
Data Controllers should be prohibited from using "pre-ticked boxes" to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future.
The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.
The regulator had issued a consultation paper entitled Privacy, Security and Ownership of Data in the Telecom Sector on Aug 9 last year and an open house discussion was held on Feb. 2. The TRAI had also invited comments and counter comments as part of the consultation.
Top comments: Pranesh Prakash, a policy director at the Centre for Internet Society, said: “This is the first time I’ve seen TRAI being bold enough to venture into this area. There are many positives here in terms of the data protection regime that they want to set up.”
He added: “It talks about user choice, consent, about notice being mandatory and simplified in language that people understand rather than two hundred pages of legal forms.”