Trai Floats Paper on Data Security of Mobile Users
Operators question regulator’s jurisdiction over an issue that flows beyond telcos
New Delhi: The telecom regulator has started a consultation process to assess whether the data rights of mobile phone users are adequately protected, a move that carriers said would lead to overregulation. They also questioned the watchdog’s jurisdiction on an issue that extends beyond telcos.
Through a consultation paper issued on Wednesday, the Telecom Regulatory Authority of India said it aimed to identify key issues pertaining to data protection in relation to delivery of digital services, including telecom and data services, as well as devices, networks and applications that collect and control data generated by users through telcos. The regulator wants to know if there should be greater parity in data protection norms applicable to carriers and Internet-based voice and messaging services. Internet-based messaging services include WhatsApp and Hike.
In the paper titled, ‘Privacy, Security and Ownership of the Data in the Telecom Sector,’ Trai described data protection as ‘the ability of individuals to understand and control the manner in which information pertaining to them can be accessed and used by others.’
ET was the first to report in its edition on Wednesday that Trai would come out with a consultation paper on data security. Comments on the paper, which has a dozen questions aimed at identifying the scope and definition of personal data, ownership and control of data of users of telecom services and assessing the adequacy and efficiency of data protection measures currently in place, have been sought by September 8 and counter-comments by September 22. The regulator will then hold openhouse discussions, following which it will make recommen-
a need to create a tech-enabled architecture for auditing use of personal data, and associated consent? strengthen, preserve safety & security of telecom infra, digital ecosystem? dations to the telecom department, which will take a final call on implementation.
Telcos questioned whether data ownership, security and privacy fall under the regulator’s ambit, noting that the watchdog “may bite off more than it can chew” while issuing a consultation paper on a subject that also involves entities that are not telecom licence holders.
“The questions posed by the Trai paper are very broad and the risk is that of over-regulating an industry where technological changes and innovation can rapidly make any regulation outdated,” said Rajan Mathews, director general of the Cellular Operators Association of India (COAI), a grouping of operators including Bharti Airtel, Vodafone India, Idea Cellular and Reliance Jio Infocomm. “There are also questions of jurisdiction that need to be answered.”
Telcos argued that regulating data through telecom operators alone, which fall under the purview of Trai, and excluding entities that are not licensees may create an arbitrage that may be detrimental to carriers.
“Why is Trai looking at data
to be taken for encouraging new data-based businesses consistent with framework of data protection? be the exceptions to data protection needs?
ET was the first to report in its edition on
that Trai would come out with a consultation paper on data security protection/usage outside telecom ecosystem? It governs carriage, not content/data. Looking at data collection and consent mechanism is a ministry of IT role, not that or ministry of communications, and not Trai,” said Nikhil Pahwa, a proponent of net neutrality in India.
In the paper, Trai said it is “of the view that the users should be empowered in respect of ownership and control of his/her personal data and to ensure this, all the players in the ecosystem are bound to follow certain safeguards while collecting, storing and using the data pertaining to their subscribers.”
“What are the key issues of data protection pertaining to the collection and use of data by various other stakeholders in the digital ecosystem, including content and application service providers, device manufac- turers, operating systems, browsers, etc?” Trai asked.
The regulator said rationale for government intervention in data protection and ownership arises for preventing “harm to consumers.” Consumers typically underestimate the value of personal data and the impact of agreeing to share it, while service providers benefit by acquiring and holding such data, it said. Trai asked if there should be legitimate exceptions to the data protection requirements imposed on digital service providers.
It also introduced the concept of data controllers — defined as ‘any organisation that determines the purposes and means of processing the personal information of users’ — and sought comments on their rights, responsibilities and whether their rights supersede those of an individual over personal data. It also sought views on new capabilities to be granted to consumers over the use of personal data.
The regulator noted that many mobile apps sought access to a user’s call records, device microphone and picture library, which may not be needed to provide the service.
“In light of recent advances in technology, what changes, if any, are recommended to the definition of personal data? Should the user’s consent be taken before sharing his/ her personal data for commercial purposes?” the regulator asked.
Trai’s consultation paper appears to be triggered by iPhone maker Apple, which is yet to allow the regulator’s DoNot-Disturb app to be listed on its App Store. Trai chairman RS Sharma said Apple is acting like a “data coloniser” and is being “anti-consumer.”
Trai wants to know if there should be greater parity in data protection norms applicable to carriers and net-based voice and messaging services