Centre for Internet & Society

The telecom regulator’s recommendations on data privacy have raised eyebrows over jurisdiction and timing, with IT ministry officials as well as companies questioning the need for it at a time when the government appointed Justice BN Srikrishna committee is in the final stages of drafting the data protection law.

The article by Surabhi Agarwal and Gulveen Aulakh was published in Economic Times on July 18, 2018. Swaraj Paul Barooah was quoted.

Telecom Regulatory Authority of India (TRAI) Chairman RS Sharma though countered that the sectoral watchdog has the jurisdiction to protect consumer interest in the sector, and those who feed off the industry - content providers, or apps, browsers, operating systems, and devices - need to be accountable as far as data protection is concerned.

TRAI Monday released its recommendations on the subject titled ‘Privacy, Security and Ownership of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems and handset makers.

An official of the Ministry of electronics and IT, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. “Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the data protection Act.”

The official also added that TRAI saying that their recommendations will be applicable till the data protection law comes into force "doesn't make sense since it won't have a legal mandate."

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna committee report.

Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

But Sharma was argued Trai was well within its rights to protect telecom consumers.

"Do I not have the jurisdiction to protect the interest of consumers in the telecom sector? I have that. And data protection of consumers in the telecom sector is an issue which is certainly related to the interest of consumers. I have deliberated on that issue, and I’m not saying that bring all those entities under my jurisdiction,” Sharma said.

He added that there is a regulatory imbalance because entities such as devices, OS, browsers and apps are not following any law. “So, the government can come up with a broad framework but till that time let the telecom rules apply on them too."

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

In its statement, IAMAI, which represents companies such as Facebook and Google, called TRAI’s assertion that the existing framework is not sufficient to protect telecom consumers “contradictory.”

“The TRAI recommendations on privacy are premised on a voice and SMS regime. It is not meant for data driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give Call Detail Records. Incidentally, the Sri Krishna Committee under the Ministry of IT, which is the nodal body for apps as well as for handset manufacturers, is deeply, looking into this issue of consent, which is a fair thing to do.”

Voicing similar concerns, the ICA, which represents most of India’s top handset makers, said that the telecom watchdog has absolutely no powers to begin regulating on issues of privacy and ownership of data, leave alone having jurisdiction over devices, operating systems, browsers and applications.

“The industry rejects TRAI's attempts to expand its powers and usurp government's jurisdiction.” It added that TRAI “jumped the gun” by seeking to regulate the digital ecosystem without waiting for the data protection law under consideration by the Justice Srikrishna Committee. “This piecemeal approach is dangerous and unproductive.”

Handset makers such as Intex and Karbonn added they should be kept out of the ambit of the proposed regulations because they don't use customer data or monetise from it, which is mostly what apps do. Any additional pressure on indirect costs will lead to wafer-thin margins getting eroded further and consumers will have to bear the brunt, as it will lead to increase in prices of mobile phones.

Trai’s recommendations have been sent to the Department of Telecommunications (DoT) which has to take a final call on whether they will be adopted.

An official spokesperson for Zomato said that they have not been contacted by any of the regulatory bodies on this, as of now. “Our country is still undergoing the process of setting up a regulatory framework, and what happens between the TRAI recommendations and the B N Srikrishna's committee's draft for Data Protection bill will eventually help set up a much required benchmark.

In its suggestions, Trai said that as with telcos, all user data flows through smart devices, putting the device manufacturers, browsers, operating systems, and applications etc. in a prime position to collect and process the personal information of users. Since all user data passes through telcos and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained”.

Swaraj Paul Barooah, policy director at Center for Internet and Society, said that the recommendations is worrying at one level since “There is nothing in the telecom sector that requires interim urgent intervention and it may mean that the privacy framework maybe further delayed.”