Why in news?
Telecom Regulatory Authority of India has ruled that People should have right to their data.
What is TRAI’s recommendation about?
- In a move with far-reaching ramifications, the Telecom Regulatory Authority of India (TRAI) said that users owned their data, while entities in the digital ecosystem storing or processing such data were mere custodians.
- The recommendations have come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.
- The authority said it was limiting its recommendations to telecom service providers (TSPs) as the larger issues on data protection.
- For all other sectors the issues would be addressed by the committee headed by Justice B N Srikrishna.
What are the highlights of TRAI’s recommendations?
- TRAI claimed that existing norms “not sufficient” to protect consumers and ruled that entities processing user data mere custodians sans primary rights
- The regulatory authority stated that firms should disclose data breaches in public and should list actions taken for mitigation, preventing breaches
- Apart from that consumers should be given right of consent, right to be forgotten and study should be undertaken to formulate the standards for de-identification of personal data
- TRAI’s right to be forgotten empowers users to delete past data that they may feel is unimportant or detrimental to their present position.
- Past data could be in terms of photographs, call records, video clippings and so on.
- Mandatory provisions should be incorporated in devices so that users can delete pre-installed applications
- Terms and conditions of data use should be disclosed before the sale of a device
- Data controllers should be prohibited from using pre ticked boxes to gain user’s consent.
How such recommendations would be implemented?
- To ensure the privacy of users, national policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest.
- Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to service providers for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
- For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications.
- It has also been proposed that privacy by design principle coupled with data minimisation should be made applicable to all the entities in the digital ecosystem.
- These recommendations when accepted by the government will mean that entities like browsers, mobile applications, devices, operating systems and service providers, among others.
- Such entities will not be able to share personal data with third parties without getting the consent of customers.
Source: Business Standard