User's have “supreme” right over their own data, not telecom firms: TRAI

• Telecom Regulatory Authority of India (TRAI) backs users’ “supreme” right over their own data.
  
• Telecom regulator recommends giving the users the right to choice, notice and consent while they share their data with internet giants.
  
• It also recommends that the government put a mechanism in place for redressal of telecommunication consumers' grievances relating to data ownership, protection and privacy.

On the 16 July, Telecom Regulatory Authority of India (TRAI) recommended that the ownership of data generated by telecom consumers should rest with the users and not the telecom firms. Therefore, the companies should not use meta-data to identify users and should disclose any and all data breaches.

TRAI went on to say that the existing framework for data was insufficient for the protection of the consumers and thus the government must formulate a policy for regulation of devices, operating systems, browsers and apps along the lines of the 77 pages of recommendations on ‘privacy, security and ownership of data in the telecom sector’, submitted by TRAI.

In the meanwhile, the regulatory body suggests bringing apps and mobile devices under the primary laws that govern telecom companies.

Though TRAI’s recommendations are not binding, they do assume importance in the backdrop of the several data breach cases that have taken place recently including the one at Facebook. And these data breaches are a cause of concern because at least one cybercrime in India takes place every 10 minutes.

Since the recommendations come ahead of the Justice BN Srikrishna committee’s recommendations on data privacy, it may impact the detailed data protection framework that the committee is formulating for the country. And that in turn may have the potential to affect the working and business of big firms like Amazon, Facebook, Apple and Google.

The telecom regulator said that the user agreements written by these firms are difficult to understand and complicated. They need to be simplified and must be available in languages other than English or Hindi as India is a multilingual country. They must also not be allowed to use "pre-ticked" boxes to gain users consent, said TRAI.

According to TRAI, users do not understand the implication of the agreement and often need to just give consent in order to use services that the device or app has to offer and there is no real room for choice. TRAI recommends that the data controllers must secure explicit consent of the user for collecting and controlling his/her personal data before creating the database.

Users, while giving their data to the firms, must have the right to notice what’s being done with their data, choose what data to share, give consent for using their data and the right to be forgotten.

This is first time 'Right to be Forgotten' has been given some attention by the Indian authority. It gives a user the right to delete any past data that they believe is not important or is detrimental The past data could be photographs, call records, video clippings and so on which could potentially harm the reputation of the consumer. The right to be forgotten is a restricted right and should be subject to consequently applicable laws.

Lack of data privacy laws can allow a firm to receive access of a user’s camera and microphone and just with the help of that, the firm can run real time facial recognition algorithms, use advanced tech to create a three-dimensional model of the user's face or even upload random frames of video stream being accessed by the user. The users may not even be aware when they are being tracked and observed by these internet giants.

TRAI pointed out that firms must be barred from collecting unrelated and unnecessary data of the users which can be misused. They must also be made to report whether the user’s data will be disclosed to third parties or if there was any data breach and how the company is planning to cope with it.

With the number of our connected devices growing, things are all the more risky as most of the data collected is personal - like regarding one’s work, education, purchases made, etc. And what is worse is that the users have no way to access, delete or amend their own data of which they are the “mere custodians”.

TRAI has also recommended that the Government put a mechanism in place for redressal of telecommunication consumers' grievances relating to data ownership, protection and privacy.