TRAI has yesterday published its recommendations on the much-debated issue of privacy and data protection. According to PTI reports, The Internet and Mobile Association of India (IAMAI) said Trai’s recent recommendations on data privacy are based on a ‘voice and SMS regime’ and may affect data-driven businesses.
The Authority has specifically recommended the following:
a) The user is the owner and collecting and sharing agencies are custodians.
b) Study to formulate standards of anonymisation and de-identification.
c) No use of metadata to identify individuals.
d) The existing framework not sufficient to protect telecom consumers.
e) Current rules are applicable to TSPs.
f) Privacy by design principle couple with data minimisation should be made applicable to all the entities in the digital ecosystem.
According to IAMAI, the in-principle TRAI recommendations are around users’ ownership of data, no use of meta data to identify individuals and Privacy by design principle coupled with data minimisation should be made applicable to all the entities in the digital ecosystem, and the Sri Krishna committee set up MeitY is already examining them and other principles.
However, the TRAI recommendation to formulate standards of anonymisation and de-identification is akin to putting the cart before the horse, and till such time the Sri Krishna committee is out and a notification or a law is passed, making these standards would be groping in the dark.
TRAI’s assertion that the existing framework is not sufficient to protect telecom consumers and current rules applicable to TSPs is prima facie, contradictory.
The TRAI recommendations on privacy are premised on a voice and SMS regime. It is not meant for data driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give Call Detail Records. Incidentally, the Sri Krishna Committee under the Ministry of IT, which is the nodal body for apps as well as for handset manufacturers, is deeply, looking into this issue of consent, which is a fair thing to do.
According to IAMAI, if the same rules are applied, then there is a possibility that no one will ever be able to build data businesses in India.