TRAI has recently released its recommendations on privacy, security and ownership of data for the telecom sector.
The regulator has suggested that the existing regulatory laws applicable to telecom players should also apply to all other entities in the digital ecosystem, including devices, operating systems, browsers and applications. It has also recommended that a study be undertaken to formulate standards for the anonymisation and de-identification of personal data. Further, it has suggested that the government formulate a national policy for the encryption of personal data generated and collected in the digital ecosystem at the earliest.
That said, there are certain areas such as data localisation, cross-border data flows, legitimate exceptions to privacy, lawful interception, and responsibilities of data controllers and technology-based audits that TRAI has not touched upon.
These recommendations have created a stir in the industry, not so much for their content or substance, but for their timing and jurisdiction. While these recommendations are well meaning, privacy is not a topic that comes under TRAI’s or DoT’s jurisdiction. It, incidentally, lies in the remit of MeitY, which has already appointed a committee to look into the matter. The 10-member panel headed by Justice B.N. Srikrishna was set up in July 2017 to suggest principles for data protection and formulate a draft data protection bill. The committee was expected to submit its report in May 2018, but is yet to finalise it.
In such a scenario, TRAI’s recommendations seem a little premature. Of course, these suggestions could well be used by the Srikrishna Committee as inputs while formulating the final framework on data protection. As the data ecosystem becomes more complex, safeguarding data privacy is undeniably the need of the hour.
