Data Protection: Srikrishna Report Delayed, TRAI Sets The Tone

The talk of the tech policy circles in Delhi these days is about the delays in the release of the Srikrishna Committee report on privacy: Will they release a law, or will it just be recommendations?

Have the recommendations been delayed because the committee is indecisive now about data localisation, given the reaction to the RBI’s seemingly ‘out of the blue’ diktat regarding localisation of financial transaction data?

Is the iSpirt/UIDAI/‘Nandan-Nilekani-friendly’ faction in the Srikrishna Committee digging its heels in about data localisation? Or is it that they don’t want it to affect Aadhaar and Justice Srikrishna does?

Is there a point to the Srikrishna Committee, since the bill may never get tabled: the opposition may not let the Monsoon session to run in Parliament, and there’s very little chance of any work in the Winter session?

These recommendations are being seen as a signal for what’s to come from the Srikrishna Committee.

Issues That The TRAI Has Avoided

Before we get into what the TRAI has recommended, I think it’s worth looking at what the TRAI has avoided talking about:

• Data localisation
• Cross-border data flows
• Legitimate exceptions to privacy
• Lawful interception
• Responsibilities of data controllers and technology-based audit

These are all contentious topics and there, from what we’ve heard, is a lot of pressure from law enforcement agencies, for access to user data.

Most importantly, it hasn’t gone into issues of mass surveillance and its prevention, offered no conclusive comments on exceptions to the privacy law, saying that because the privacy framework is under development, “the Authority has decided not to make any recommendations.”

Somewhere in the paper, it does say that “Since the data is collected by private as well as government entities, the data protection framework should be equally applicable to both the government as well as private entities”, which is a welcome development, given that there would have been push-back regarding this from the Home ministry.

That said, the TRAI has done a fairly decent analysis of issues pertaining to cross-border data flows and data localisation, without taking a stand on it.

TRAI Recommendations On Privacy And Data Protection

1. Ownership Of Personal Data

“Each user owns his/her personal information/data collected by/stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.”

The TRAI says that data isn’t just a property and “…it would appear illogical/ inequitable to permit complete transfer of rights over an individual’s personal data.”

“In the circumstances, there must be a recognition that while data controllers may indeed collect and process personal data, this must be subject to various conditions and obligations – including importantly, securing explicit consent of the individual, using the personal data only for identified purposes, etc. The entity that has control over personal data would be responsible for compliance with data protection norms.”

The TRAI has recommended a study to formulate standards for anonymisation and de-identification of personal data. In addition, it has said that “All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users.”

2. Jurisdiction Of TRAI’s Recommendations

Two aspects of the TRAI’s recommendations appear to go beyond its remit. It says:

“Till such time a general data protection law is notified by the government, the existing Rules/Licence conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. For this purpose, the government should notify the policy framework for regulation of Devices, Operating Systems, Browsers, and Applications.”

These recommendations, coupled with the recommendations regarding devices – of allowing users to delete pre-installed apps, and previous comments from the TRAI chairman regarding devices being a part of the telecom ecosystem, appear to be seeking to extend the TRAI’s jurisdiction beyond telecom.

Remember that when this paper came out, it appeared to be more about the internet than telecom, and we had pointed out that the TRAI does not have jurisdiction over the internet.

That should be with MEITY, in the absence of a Data Protection Authority.

A positive development is the TRAI’s suggestion:

“Since the data is collected by private as well as government entities, the data protection framework should be equally applicable to both the government as well as private entities.”

3. Data Minimisation And Privacy By Design

“Privacy by design principle should be made applicable to all the entities in the digital ecosystem viz, Service providers, Devices, Browsers, Operating Systems, Applications etc. The concept of ‘Data Minimisation’ should be inherent to the Privacy by Design principle implementation. Here ‘Data Minimisation’ denotes the concept of collection of bare minimum data which is essential for providing that particular service to the consumers.”

4. Data Portability And Deletion

“The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard.”

That said, empowering users to delete telecom data, and port their data (and not just from their numbers), is a welcome move.

5. Notice And Consent

This is a big one. As we’ve discussed, consent is broken, and the TRAI has recommended that for telecom users.

5. a) Consent mechanism on the basis of the Electronic Consent Framework from MEITY

“In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers.” Apart from that, the TRAI has recommended that a framework, “on the basis of the Electronic Consent Framework developed by MEITY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for the telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.”

5. b) Multilingual agreements

The TRAI has recommended that agreement/terms and conditions be “Multilingual, easy to understand, unbiased, short templates” for “all the entities in the digital eco-system.”

5. c) No pre-ticked boxes

“Data Controllers should be prohibited from using ‘preticked boxes’ to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.”

5. d) Devices and consent

(g) Devices should disclose the terms and conditions of use in advance, before sale of the device.

(h) It should be made mandatory for the devices to incorporate provisions so that user can delete such pre-installed applications, which are not part of the basic functionality of the device, if he/she so decides. Also, the user should be able to download the certified applications at his/her own will and the devices should in no manner restrict such actions by the users.

6. Improvement In Encryption Standards

This is one of the issues that we had raised at the open house on privacy: That data sent over telecom networks is not secure, and we need strong privacy recommendations to enable security of that data. The TRAI recommends that:

• “To ensure the privacy of users, National Policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government at the earliest.”
• “For ensuring the security of the personal data and privacy of telecommunication consumers, personal data of telecommunication consumers should be encrypted during the motion as well as during the storage in the digital ecosystem.
• “Decryption should be permitted on a need basis by authorized entities in accordance to consent of the consumer or as per requirement of the law.”

This is a very welcome suggestion from the TRAI, and it’s about time that this issue got addressed. That said given the mess that the last (now withdrawn) Draft Encryption Policy was, this needs to be looked at carefully.

7. Breach And Notification

• “All entities in the digital ecosystem including Telecom Service Providers should be encouraged to share the information relating to vulnerabilities, threats etc in the digital ecosystem/networks to mitigate the losses and prevent recurrence of such events.
• All entities in the digital ecosystem including Telecom Service Providers should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
• A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including Telecom service providers. It should be made mandatory for all entities in the digital ecosystem including telecom service providers to be a part of this platform.
• Data security breaches may take place in-spite of adoption of best practices/ necessary measures taken by the data controllers and processors. Sharing of information concerning to data security breaches should be encouraged and incentivized to prevent/mitigate such occurrences in future.”

This is a measured approach: one issue with breach notifications is that companies that get breached are afraid of harassment from law enforcement agencies.

It’s a tricky thing to deal with: at one level, it is important to ensure that companies try and protect user data, and hence penalties are a means of ensuring that they behave responsibly.At another level, the fear of penalties (and loss of business) prevent companies from disclosing breaches to law enforcement and customers.

All in all, these are welcome recommendations from the TRAI.

This article was originally published on MediaNama.

Nikhil Pahwa is Founder and Editor at MediaNama, TED Fellow, and co-founder SaveTheInternet.in and Internet Freedom Foundation.

The views expressed here are those of the authors and do not necessarily represent the views of BloombergQuint or its editorial team.