17 July 2018

TRAI Recommendations on Privacy, Security, and Data Ownership

(First impressions)

TRAI released its 'Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector' yesterday: pdf accessible via its website. Importantly, the recommendations understand and recognise the primacy of users' ownership of their own data. In essence, they suggest that as little data as is required be collected, and that a study to formulate standards of data anonymization be undertaken.

Users, TRAI has said, should have rights to choice, notice, consent, data portability as well as the benefit of the right to be forgotten within the framework of law, and the recommendations suggest that a grievance redressal mechanism be set up to address user concerns. 

As far as devices are concerned, TRAI has recommended that it be made possible to delete pre-installed apps, and for users to install apps effectively at will. The terms of use of a device should be disclosed to consumer-users before its sale to them.

TRAI has also talked about re-examining encryption standards. It has suggested that a National Policy on Encryption be notified, and that decryption should be undertaken either with user consent or in accordance with the law. Although this sounds acceptable in theory, it is a prime example of why the recommendations do not go far enough: the law governing the field is full of lacunae and ambiguities, and the recommendations in this regard do not categorically state that consent must be informed.

The TRAI recommendations do speak of the need to increase public awareness but even so, between existing legal concerns and widespread techno-legal illiteracy, it would be all too easy for users to waive their rights or unnecessarily part with their data without even clearly recognising what they were doing.

Sadly, the framework TRAI's suggested is legalistic and, from the point of view of users, more consent-based than rights-based. This is demonstrated not least by how easy it could be for users to waive what should be inalienable rights. The potential damage may be mitigated by the use of human-readable contracts which, too, TRAI has effectively suggested but it isn't at all clear that this would be enough. 

The recommendations take no clear position on cross-border data flow, and have nothing worth mentioning to say of interception and surveillance. Given that they acknowledge the insufficiency of existing law, this is a perplexing omission. 

It is also unclear why TRAI has issued recommendations at this time considering that the Srikrishna committee has also been considering privacy. In fact, while explaining its reluctance to take a position on cross-border data flow, TRAI explicitly said: "Committee of  Experts headed by Justice B N Srikrishna would be addressing the larger issues related to data protection framework applicable in general to all sectors of the economy."

Thus, the TRAI recommendations do not visibly fine-tune the legal aspects of privacy and data protection particularly given that the Srikrishna report is not yet out. One can only hope that the contents of the TRAI recommendations will prove to be in consonance with those that Srikrishna committee make. If not, they have the potential to create even more confusion in a field that is already rife with ambiguity. This despite their attempt to ensure that user rights are front and centre.

Credit

This site is supported by FrontierNxt.