The Telecom Regulatory Authority of India (TRAI) this week issued its recommendations on “Privacy, Security and Ownership of Data in the Telecom Sector”, much to the glee of a large section of users who are being haunted by the threat of data theft.

After achieving great success in the formation of net neutrality norms in India, TRAI has now come up with a new set of recommendations about data privacy in India. Earlier this year, the subject was the cause of great controversy because Cambridge Analytica, the political data firm was accused of “harvesting” personal data taken illegally from Facebook. It was also alleged that they used the data to influence elections all over the world, including in India.

New reports are now suggesting that the Department of Telecommunications (DoT) will only take up those recommendations by TRAI which are relevant to their sector. The remaining recommendations would contribute to the framing of India’s first data protection law by the Srikrishna Committee.

Now, TRAI has framed a new set of recommendations to answer the following issues:

1. To identify the scope and definition of Personal data, Ownership and Control of data of users of telecom services.
2. Understand and Identify the Rights and Responsibilities of Data Controllers.
3. To assess the adequacy and efficiency of data protection measures currently in place in the telecoin sector.
4. Identify the key issues pertaining to data protection in relation to the delivery of digital services. This includes the provision of telecom and Internet services by telecom and Internet service providers (TSPs) as well the other devices, networks and applications that connect with users through the services offered by TSPs and collect and control user data in that process.

Among many key recommendations, one of the important suggestion revolves around the relationship between the users, the mobile phone service providers, app makers and any other middlemen. TRAI has clearly said in its 77-page report:

“In respect of the ownership of personal data, the Authority is of the view that the individual must be the primary right holder qua his/her data.

While the right to privacy should not be treated solely as a property right, it must be recognised that controllers of personal data are mere custodians without any primary rights over the same.

For instance, it would appear illogical/inequitable to permit complete transfer of rights over an individual’s personal data. This would imply that the personal data can no longer be used/accessed by the data owners — a situation which is quite clearly untenable.

Apps should collect minimal data like Aadhar: TRAI chiefhttps://t.co/2RTEhpIeOc pic.twitter.com/nYtHT52oct

— NDTV (@ndtv) July 18, 2018

In the circumstances, there must be a recognition that while data controllers may indeed collect and process personal data, this must be subject to various conditions and obligations – including importantly, securing explicit consent of the individual, using the personal data only for identified purposes, etc. The entity that has control over personal data would be responsible for compliance with data protection norms.”