TRAI to Draft Principles on Privacy of User Data

The Telecom Regulatory Authority of India (Trai) is soon expected to lay out the broader principles on data ownership, security and privacy before the government, but will stop short of recommending rigid guidelines.

According to one person aware of the matter, the telecom regulator feels the data security and privacy space is still evolving. “The concepts are still emerging and changing very fast. So, hard-coding anything will be difficult, as it may become obsolete tomorrow. Principles are more important because they do not become obsolete very soon,” this person said, requesting anonymity.

In August 2017, Trai had floated a consultation paper to identify the scope and definition of personal data and ownership, and control of user data by telecom service providers, apart from identifying the rights and responsibilities of data controllers. The consultation paper was followed by an open house discussion in February.

“The issues around data security are far bigger than telecom. That is why Trai is working within its boundary and has maintained that its recommendations would just be an input to the justice B.N. Srikrishna committee,” he added.

The Union government hopes that the first draft of the recommendations on a data protection legislation by the committee will be completed by June.

The committee was constituted last year, much before the Facebook-Cambridge Analytica data scandal came to light, and has already sought stakeholder inputs on its white paper.

Moreover, the draft of the national communications policy states that the government is looking to establish a comprehensive data protection regime for digital communications, which would safeguard the privacy, autonomy and choice of individuals.

To achieve the desired results, existing licenses and terms and conditions may have to amended to incorporate provisions with respect to privacy and data protection, besides formulating a policy on encryption and data retention in line with global standards.

“The issues surrounding data privacy and ownership are very complicated for there to be a very elaborate law, especially in an evolving market like India, where the conversation around data privacy has recently begun,” said Suneeth Katarki, partner, IndusLaw.

While the European General Data Protection Regulation is a clear, prescriptive and compliance-heavy piece of legislation, industry experts expect the US to opt for state-specific laws that would be principle-driven but not as elaborate.

“The law here will need to outline the role and liabilities of data controllers, collectors and processors. It should also ensure that data collectors obtain consent to monetise the data in an informed manner. Moreover, consent cannot be one time and needs to be reviewed at periodic intervals,” said Katarki .

User-generated data is integral to the business models of major communication and social media networks as it makes them valuable to advertisers, which in turn use it to help companies target goods and services at the right audience.

“The dilemma here is interesting. The value of the product and the potential abuse are both directly proportional to the amount of data being mined. Targeted advertising makes these companies mining user data valuable to the user, but also poses a risk to them,” a sector analyst said, requesting anonymity.

“The regulator is walking a tightrope in forming rules around data privacy. Whatever it does may have collateral damage. If you focus on privacy, you lose out on functionality and vice-versa. Moreover, defining what data is personal, and who owns that data, will be a huge regulatory challenge,” he added. – Live Mint