When data breaches take place, you should not try to hide that
NEWDELHI: India is the world’s largest telecom market where a huge amount of data is being created and hence must have a robust framework for protection of users, Telecom Regulatory Authority of India (Trai) chairman R S Sharma said in an interview a day after the regulator sent its recommendations to the government on data privacy in telecom. Trai has said that entities that control or process personal information and data are mere custodians and do not have primary rights over it and users should have the right to choose the information they want to share and explicit consent must be taken from them. “There are many applications which require consent to access a user’s contact list, call records and all kinds of data at the time of activation. Do they really need it?
For example, there is an application called Torch. Why does it need my contact list? What will it do with that data?” Sharma said. Trai’s recommendations will act as inputs to the much-awaited report of the justice Srikrishna committee on an overall data protection framework. Excerpts from the interview:
What was the challenge in preparing these recommendations?
Around the same time when the consultation paper was started, the justice Srikrishna committee was constituted by the government to evolve a larger data protection law for the country. The telecom sector is a small segment but significant in the sense that you reach internet only through these internet and telecom service providers and devices... Ultimately, we are subject to the law of the nation. Therefore, we had to be careful to ensure that we don’t overstep our part. As an operating principle, we decided to eschew from giving any recommendations on any subject which has ramifications beyond the telecom space. There are six such issues: rights and responsibilities of data controllers, technology-enabled audit of personal data use, measures to encroach creation of databased business, data sandboxing, legitimate exceptions to privacy regulations and cross-border data flow.
The consultation process was a year long. Did the European Union’s General Data Protection Regulation (GDPR) have an impact on your recommendations?
We have quoted it in many places (in the recommendations). We have taken inputs, counter-inputs, existing laws... it is a comprehensive recommendation which has drawn inputs from every available source.
The recommendations talk of grievance redressal and a common platform to exchange information.
We are saying that when data breaches take place, you should not try to hide that. Share it. Similarly, share best practices as well. We are recommending the creation of a platform for awareness and sharing of breaches when it happens...reporting of these breaches...security does not come from obscurity. You can’t create such silos where you don’t share information because then other people will have to reinvent the wheel.
What kind of impact could these recommendations have on business?
Data is a very powerful tool in the hands of controllers...in the hands of the government for delivery of social benefits. Data can fuel new businesses. When I do transactions on the mobile such as recharge or bill payment, this is a good amount of data which can be used to boost my credit history, for example. So, I can avail the benefit of this data to get access to certain facilities or benefits. We are saying that in the telecom space, you can create frameworks and architecture whereby the telecom consumer’s data can be utilized by them to their own benefit. For example,
Reserve Bank of India in 2016 created a framework for data fiduciary or data aggregators. We are saying create a similar framework for telecom also.