As the data privacy law India yet to out, TRAI proposed in a statement, strong data protection laws aimed at ensuring that Indian telecom users have the right to their own digital data and rules for protection of personal data in the telecom space are not sufficient, while suggesting that consumers to be given the right to choice, consent and to be forgotten to safeguard their privacy.

People should have right to their data, not companies, says TRAI. If the recommendations are accepted by the Centre, digital service providers such as Google and Facebook, application developers like WhatsApp, government entities like UIDAI, device-makers along with telecom operators will have to make sure that users’ data can be collected only with their explicit consent. It means once collected for the specific purpose, the user data can be used only for the limited purpose of providing the service for which the user has signed up.

The proposed rules also have provisions for revoking the consent at a later date. A user will also have the right to be forgotten, which means that the service provider will be mandated to erase all personal data related to that consumer. While the right to privacy should not be treated solely as a property right, it must be recognised that controllers of personal data are mere custodians without any primary rights over the same,” the TRAI said while issuing its recommendations. TRAI’s recommendations on privacy, security and ownership of subscriber data in the Telecom Sector for all entities in the digital ecosystem like service providers, device brands, and operating system, browser and application developers. The fact is user data should not be exploited, manipulated or taken advantage of without the explicit consent of users. This is a historic Data Privacy protection milestone for our nation. India has taken the lead and shown true adherence to the principles of democracy in protecting the right to privacy of a billion connected mobile subscribers.

Here are the highlights from the TRAI’s recommendation:

    *All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.

    *A study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital eco-system.

    *Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem.

    *The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.

    *Data Controllers should be prohibited from using "preticked boxes" to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.

    *Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future.

The regulator has also questioned the practice of pre-loaded applications on mobile phone and application developers seeking unnecessary permissions from users as a pre-condition. For example, an application that activates a flashlight as a torch on a mobile device may seek permission for access to the camera, the microphone, and the contact list. The flashlight application simply creates a logical circuit between the battery and the camera flashlight, and does not require access to the camera, the microphone or the contact list for its operation.

The rules proposed by the TRAI come at a time when questions have been raised on the lack of data protection for Indian users of digital services.