Current framework not enough for privacy, stop-gap measure needed: Trai

India’s telecom regulator will need a legal framework to enforce its recently released data protection and privacy recommendations, experts say. The Telecom Regulatory Authority of India (Trai) stated on Monday that people have the primary right to their data and firms can only access data after taking proper consent which makes clear the purpose behind collecting data. 

The recommendations go broad in their coverage and speak about data use by websites, apps, telecom operators as well as handset makers. The guidelines seek to bind all entities in a common framework which relies on data ownership and explicit consent. However, not everyone is happy. Industry has questioned Trai’s jurisdiction to regulate mobile applications (apps), websites, and other over-the-top (OTT) players. 

Trai recommendation to formulate standards of anonymisation and de-identification is akin to putting the cart before the horse, and till such time the Sri Krishna Committee is out and a notification or a law is passed, making these standards would be like groping in the dark,” said Internet and Mobile Association of India in a statement. 

Trai has said that the current framework of privacy is not sufficient and there needs to be a stopgap measure to protect user privacy till the time Justice Srikrishna-led panel brings out India’s privacy law. Srikrishna panel is looking deeply into issues of data storage, processing, anonymity, and commercial use of data collected from citizens. 

But this is not where the problem lies. Lawyers say that without the backing of a privacy law, these guidelines are going to be toothless. 

“It is good that Trai thought about it, but it is nothing but a regulatory stopgap measure which needs to be passed by the law till we have a comprehensive strong data protection law in place, and the regulations recognise that and state so. Without such data protection, people are left vulnerable,” said Delhi-based cyber lawyer Apar Gupta. 

This was echoed by Raman Chima, a lawyer who deals with data protection and privacy laws. Chima said these regulations will need licences and legal backing to work as there is no legal authority backing these guidelines without which these will not stand in a court of law, should anyone challenge it. 

Meanwhile, handset makers are not too happy with these regulations either as they questioned Trai’s jurisdiction on regulating players which do not need licences from the authority. 

“No section of the Trai Act allows it to venture into privacy, ownership of data, and more importantly, regulating the digital ecosystem beyond telecom companies.  They have crossed the red line drawn by Parliament, and are way outside their legislative limits. Trai has no powers, and even less expertise in this space,” said a spokesperson from Indian Cellular Association (ICA), which is an industry body of mobile phone manufacturers.  

The ICA has termed these guidelines “contentious and impractical” as the body said these will threaten investor confidence in the country at a time when it is much needed. 

Xiaomi, however, said that it is reading into these guidelines and remains committed to user privacy as it uses the highest levels of encryption. 

A similar view is seen from internet companies such as Mozilla, which runs open-source software, including their popular browser.

“The cart of technical solutions should follow the horse of the actual enshrinement of data protection rights in law,” said Amba Kak, lawyer and policy advisor, Mozilla. 

Kak also added that Trai’s regulations are “dangerous” in that the authority seeks to apply the telecom regulation framework “wholesale” to all the players in the ecosystem. 

Trai cannot act beyond its authority to regulate telecom companies, said Rajan Matthew, director-general of Cellular Operators Association of India.  

“I do not think Trai has jurisdiction on data protection beyond telecom operators, internet service providers, mobile virtual network operators, and broadcasters. It has no jurisdiction for mobile device manufacturers, app service providers, and browser providers,” he said. 

Another executive of a leading telecom company said they welcome Trai’s move to consider data protection as a serious issue in the industry but it remains unclear whether Trai can actually implement these. 

“There is no doubt that telcos as well as content providers and apps are the repository of data and should not share it or use it for their own business purpose. I think what Trai has done is consumer-friendly and is focusing on what the consumer wants. However, we have doubts whether Trai really has the jurisdiction on such areas at all,” the executive said.