TRAI’s privacy Recommendations are a Reminder that There is No Shortcut to a Comprehensive Law

It was only last year, that the Union government assured the Supreme Court, in the course of Aadhaar hearings, that India would have a comprehensive Data Protection law by Diwali, or October last year. This was an ambitious target by any stretch. But as the Justice Srikrishna Committee, tasked by the government to draft this law, continues to drag its feet about making its recommendations public, the prospect of a law being passed expeditiously by Parliament has grown increasingly bleak. In the meantime, while public attention on the issue is still high, last week the telecom regulator – Telecom Regulatory Authority of India or TRAI – put forth its own recommendations for data protection norms in the digital economy. The recommendations exemplify some of the dangers of a hurried sectoral approach.

TRAI is not the first sectoral regulator to prematurely put forth its views on data protection. The Reserve Bank of India has publicly gone back and forth on requiring all financial data to be stored in India, and the Health Ministry has proposed its own health data privacy bill, the Digital Information Security in Healthcare Act. Despite a curious shared enthusiasm for a digital consent architecture for data sharing, no consensus has emerged out of these sector-specific regulatory attempts. As regulators grow impatient with the delays in developing a comprehensive data protection framework, India risks splintering into sectoral regulation that both expands these regulators’ mandates and provides insufficient protections for users.

While TRAI’s views have been largely hailed for affirming that users, not companies, should own and control their own data – this is at odds with some of the substance of its data protection recommendations. In particular, its view that “till such time a general data protection law is notified by the Government”, the license conditions applicable to telecom providers be “made applicable to all the entities in the digital ecosystem”. If there was any doubt about what it meant, the broad mandate is spelled out to specifically include “telecom service providers, devices, operating systems, browsers, applications etc.”

These license terms are not merely an awkward fit with non-telecom companies, but many are outdated and raise serious privacy concerns. Take clause 39.12, which mandates that entities, “in the interests of security”, set up “suitable monitoring equipment” as per the requirements of security agencies – “as and when” they may require them. Or the regressive prohibition against “bulk encryption” in clause 37.1. Even as TRAI acknowledges that encryption is critical to online security and calls out the need to update encryption standards, it shies away from recommending the repeal of this condition.

Privacy implications
These broadly worded license conditions arguably stand on a shaky constitutional footing. Last August, nine Supreme Court judges in Puttaswamy vs Union of India affirmed that privacy was a fundamental right in India. Any interference with user privacy by the State would, at minimum, have to be sanctioned by law, seek to achieve a legitimate state aim, and be both necessary and proportionate to achieve this goal. Does a restriction on bulk encryption have statutory backing? Is mass communications surveillance a necessary or proportionate means to achieve the State’s legitimate security interests? The Puttaswamy judgment provides an impetus to reexamine existing legal frameworks. TRAI seems to have missed this opportunity, and instead, chose to recommend expansion of this mandate to the totality of the digital ecosystem.

There are other mixed signals. On the one hand, TRAI makes clear that it has “decided not to make recommendations” on cross-border data flows, pending the Justice Srikrishna Committee report. Yet, since it recommends the telecom license conditions wholesale, we might in fact glean from this TRAI’s tacit approval of the mandate to store certain kinds of data exclusively in servers in India. The telecom license prohibits the transfer of accounting or user information to persons or servers outside India; and allows the government to mandate that traffic related to certain entities is localised “for security reasons”. TRAI does not engage with the import of this recommendation on the broader internet ecosystem whether for the large number of companies that do cross-border business, or even use international payment gateways. Instead, it concludes vaguely that overall, the license represents a “fairly robust” framework to safeguard user privacy.

Note, that TRAI’s views are mere recommendations. Many of its other suggestions for stronger user rights online, although welcome, are unlikely to be enforceable even by the Department of Telecommunications as they fall outside the scope of telecommunications and in the mandate of the Ministry of Electronics and Information and Technology.

All of this is only the latest reminder that there are no quick substitutes to a comprehensive privacy framework. As Mozilla has long argued, passing a strong privacy law must be a national policy priority and TRAI’s recommendations are a clarion call for action. Patchwork sectoral laws, in the absence of unified principled foundations, leave privacy in India on shaky footing. The government must stop dragging its feet. – Scroll