Indians have full control over the data they share online and the right to decide how this information can be used by companies, the country’s telecom regulator has said.
“Each user owns his/her personal information/data collected by/stored with the entities in the digital ecosystem,” the Telecom Regulatory Authority of India (TRAI) said on July 16. “The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.”
Such data include information about goods and services procured and online activity, material stored on personal devices, and details related to family, employment, finances, lifestyle, and social activities, among others, according to a set of recommendations (pdf) TRAI issued for the sector.
These recommendations are in line with an August 2017 supreme court ruling recognising privacy as a fundamental right.
In addition, TRAI said users in India must have the ”right to be forgotten” wherein they can ask companies to erase the details they furnish online. This is in tune with global practices. For instance, the European Union and Argentina already give users the right to be forgotten.
In India, though, it has not been put to practice fully. In February 2017, the Karnataka high court upheld this right for the first time in the country but many such cases have been dismissed in the past.
These recommendations come in the aftermath of the Cambridge Analytica voter-manipulation scandal, which leaked the data of millions of Facebook users worldwide, including from India. TRAI also said that firms must disclose the information about privacy breaches on their websites and mention the actions taken to prevent them.
“This (recommendation paper) would include all devices, operating systems, browsers, and applications and would be a welcome stop-gap measure till rules and regulations of the telecom services providers are applicable to them,” said Rajan S Mathews, director general of industry group Cellular Operators Association of India. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained.”
Below is a snapshot of TRAI’s recommendation:
|The standards for anonymisation and de-identification of personal data generated and collected from users must be studied and formulated.|
|Privacy must be a priority for service providers, devices, browsers, operating systems, and applications. Companies should be restrained from using meta-data to identify users.|
|Consent mechanism should be built-in by service providers. “Pre-ticked boxes” to gain user content are not permissible. Terms and conditions or agreements must be multilingual, easy-to-understand, unbiased, and short.|
|Personal data of telecom consumers should be encrypted while being transmitted as well as during its storage. Decryption should only be permitted on a need basis by authorised entities in accordance with consent of the consumer or as per requirement of the law.|