Home >> Blog >> TRAI recommendations on “Privacy, Security and Ownership of Data” in the Telecom Sector
13 Aug 2018

TRAI recommendations on “Privacy, Security and Ownership of Data” in the Telecom Sector

The Telecom Regulatory Authority of India (TRAI), has issued its Recommendations on “Privacy, Security and Ownership of Data in the Telecom Sector” on July 16, 2018. The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data.

These recommendations can also be seen as inputs and the framework set out for the recently released Data Protection Bill. The recommendations also to be viewed in the light of the following events:


  1. in 2016, the Department of Telecommunications (DoT) sought TRAI’s recommendations on quality of service, roaming requirements and spectrum requirements related to M2M communications. Though TRAI had raised issues pertaining to the privacy and security of M2M communications in the consultation paper, however the same was not addressed in their recommendation as it was decided to be dealt separately; and
  2. in 2017, the Supreme Court of India in the case of S. Puttaswamy Vs. Union of India (WRIT PETITION (CIVIL) NO. 494 OF 2012), had unanimously recognized the constitutional right to privacy rooted in human dignity and individual autonomy. The Court declared that privacy constitutes an intrinsic part of the right to life and personal liberty under Article 21.

Post these two incidents, in August 2017 TRAI issued a consultation Paper on “Privacy, Security and Ownership of Data in the Telecom Sector” seeking comments from the stakeholders. The primary objective behind the paper was to:

(a) identify the scope and definition of Personal data, Ownership and Control of data of users’ in telecom services.

(b) understand and Identify the Rights and Responsibilities of Data Controllers.

(c) assess the adequacy and efficiency of data protection measures currently in place; and

(d) Identify the key issues pertaining to data protection in relation to the delivery of digital services.

Having received comments from the stakeholders, TRAI also organized an open house discussion on the subject. After considering the additional inputs and comments from the Open House Discussion, TRAI formulated its recommendations.

Some of the major recommendations made by TRAI are as follows:

Personal Data:

The definitions of “Data” as provided under the Information Technology Act, 2000, and “Personal Information” and “Sensitive Personal Data and information” as provided under Sensitive Personal Data and Information Rules, 2011, are considered adequate.

  • Each user owns his/her personal information/data collected by and/or stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.
  • All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users.

Sufficiency of existing Data Protection Framework:

  • The existing framework for protection of the personal data is not sufficient. To protect the consumers against the misuse of their personal data by the broad range of data controllers and processors (entities), these entities should be brought under a data protection framework.
  • Till such time a general data protection law is notified by the Government, the existing Rules/ License conditions applicable to Telecom Service Providers (TSPs) for protection of users’ privacy be made applicable to all the entities. For this purpose, the Government should notify the policy framework for regulation of Devices, Operating Systems, Browsers and Applications.
  • Privacy by design principle should be made applicable to all the entities i.e. Service providers, Devices, Browsers, Operating Systems, Applications etc.

User Empowerment:

  • The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the consumers.
  • For the benefit of users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
  • The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard.
  • Multilingual, easy to understand, unbiased, short templates of agreements/ terms and conditions be made mandatory for all the entities for the benefit of consumers.
  • Data Controllers should be prohibited from using “preticked boxes” to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
  • Devices should disclose the terms and conditions of use in advance, before sale of the device.
  • Making mandatory provisions in the devices to enable users to delete pre-installed applications, which are not part of the basic functionality of the device.
  • The Government should put in place a mechanism for redressal of consumers’ grievances relating to data ownership, protection, and privacy.

Data Privacy and Security of Telecom Networks:

  • DoT should re-examine the encryption standards, stipulated in the license conditions for the TSPs, to align them with the requirements of other sectors.
  • To ensure the privacy of users, a National Policy for encryption of personal data, generated and collected in the digital eco-system, should be notified by the Government.
  • Personal data should be encrypted during the motion as well as during the storage in the digital ecosystem.
  • All entities should be encouraged to share the information relating to vulnerabilities, threats etc. to mitigate the losses and prevent recurrence of such events.
  • All entities should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
  • A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including Telecom service providers.
  • Sharing of information concerning to data security breaches should be encouraged and incentivized to prevent/ mitigate such occurrences in future.




Related Post

Share this:

Leave a Reply

Your Email address will not be published. Required fields are marked *