GS Paper-3, Science and Technology, Infrastructure
Why in news?
Telecom Regulatory Authority of India has ruled that People should have right to their data.
What is the TRAI’s recommendation?
In a move with far-reaching ramifications, the Telecom Regulatory Authority of India (TRAI) said that users owned their data, while entities in the digital ecosystem storing or processing such data were mere custodians.
The recommendations have come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.
The authority said it was limiting its recommendations to telecom service providers (TSPs) as the larger issues on data protection.
For all other sectors the issues would be addressed by the committee headed by Justice B N Srikrishna.
TRAI claimed that existing norms “not sufficient” to protect consumers and ruled that entities processing user data mere custodians sans primary rights
The regulatory authority stated that firms should disclose data breaches in public and should list actions taken for mitigation, preventing breaches
Apart from that consumers should be given right of consent, right to be forgotten and study should be undertaken to formulate the standards for de-identification of personal data
TRAI’s right to be forgotten empowers users to delete past data that they may feel is unimportant or detrimental to their present position.
Past data could be in terms of photographs, call records, video clippings and so on.
Mandatory provisions should be incorporated in devices so that users can delete pre-installed applications
Terms and conditions of data use should be disclosed before the sale of a device
Data controllers should be prohibited from using pre ticked boxes to gain user’s consent.
How can the above recommendations be implemented?
To ensure the privacy of users, national policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the government at the earliest.
Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to service providers for protection of users’ privacy be made applicable to all the entities in the digital ecosystem.
For this purpose, the government should notify the policy framework for regulation of devices, operating systems, browsers, and applications.
It has also been proposed that privacy by design principle coupled with data minimisation should be made applicable to all the entities in the digital ecosystem.
These recommendations when accepted by the government will mean that entities like browsers, mobile applications, devices, operating systems and service providers, among others.
Such entities will not be able to share personal data with third parties without getting the consent of customers.