Data belongs to individual users: Trai
NEW DELHI: TRAI SAID THE EXISTING FRAMEWORK FOR THE PROTECTION OF TELECOM CONSUMERS PERSONAL INFO IS NOT ENOUGH AND CALLED FOR NEW RULES TO MISUSE OF USERS’ DATA
The Telecom Regulatory Authority of India (Trai ) on Monday released the recommendations on “Privacy, Security and Ownership of Data in the Telecom Sector”, where it has mentioned each user owns his/ her personal information/ data collected by/stored with the entities in the digital ecosystem.
“The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data,” it stated.
The Trai recommended that a study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital ecosystem. “All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.”
It mentions that the existing framework for protection of the personal information/ data of telecom consumers is not sufficient.
“To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework,” it adds.
Trai said that till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to telecom service providers (TSP) for protection of users’ privacy be made applicable to all the entities in the digital ecosystem.
“For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications.”
The principle of privacy by design coupled with data minimisation should be made applicable to all the entities in the digital ecosystem like, service providers, devices, browsers, operating systems and applications.
It said: “The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard.”
Consumer awareness programs be undertaken to spread awareness about data protection and privacy issues so that the users can take well informed decisions about their personal data, the sector regulator suggested.
“Data Controllers should be prohibited from using ‘preticked boxes’ to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements. Devices should disclose the terms and conditions of use in advance, before sale of the device,” it said.
“For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem. Decryption should be permitted on a need basis by authorised entities in accordance to consent of the consumer or as per requirement of the law,” it said.