Users ‘own’their data, not Google or Facebook: Trai

New Delhi: The Telecom Regulatory Authority of India declared on Monday that a user “owns” his personal information and Google, Facebook and Twitter, among others, are only custodians and don’t have primary rights over their data.

In its recommendations on “Privacy, Security and Ownership of Data in the Telecom Sector”,  Trai said all entities in the digital ecosystem, which control or process data, must be restrained from using metadata to identify individual users. It said consumers must have the right to choice, consent and to be forgotten in order to safeguard their privacy.

Trai said the existing framework for protection of the personal information of telecom consumers in India was not sufficient. To protect telecom consumers against the misuse of their personal data, it said such companies should be brought under a data protection framework.

The Trai recommendations comes at a time when there are concerns worldwide over the privacy of Internet users and how personal data  is used by app developers. In the United States, Cambridge Analytica is facing an investigation over allegations that it stole 50 million Facebook users’ data to help its clients around the world to win elections, including US President Donald Trump.

In its recommendations, Trai said that till  a general data protection law is notified by the government, all existing rules applicable to telecom operators for the protection of users’ privacy be made applicable to all the entities in the digital ecosystem.

 For this, the government should notify the policy framework for regulation of devices, operating systems, browsers and applications.

“The right to choice, notice, consent, data portability, and the right to be forgotten should be conferred upon telecoinmunication consumers,” Trai said. However, it also added that the “right to data portability” and the “right to be forgotten” are restricted rights, and these  should be subjected to the applicable restrictions due to the prevalent laws.

Trai said that multilingual, easy-to-understand, unbiased, short templates of agreements/terms and conditions be made mandatory for all entities in the digital ecosystem for the benefit of consumers. Also, companies should be prohibited from using “pre-ticked boxes” to gain users’ consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.

Mobile device makers should disclose the terms and conditions of use in advance, before sale of the device. It should be made mandatory for the devices to incorporate provisions so users can delete pre-installed apps if he/she so decides. Also, users should be able to download the certified applications at his/her own will and the devices should in no way restrict such action by users.

“To ensure the privacy of users, a national policy for the encryption of personal data, generated and collected in the digital ecosystem, should be notified at the earliest,” Trai said.

It said for ensuring the security of personal data and the privacy of telecommunications consumers, personal data of consumers should be encrypted during motion as well as during storage in the digital ecosystem. Decryption must be permitted on a need basis by authorised entities in accordance with consumers’ consent or as per legal requirements.

“All entities in the digital ecosystem, including telecom service providers, should transparently disclose the information on privacy breaches on their websites along with the action taken for the mitigation and prevention of such breaches in the future,” Trai added.