The Telecom Regulatory Authority of India (Trai) said the framework for protection of personal information is “not sufficient” and that the issue of data ownership, privacy, and security is complex and multi-dimensional. It suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information and empowerment of customers to keep their data secure.
The telecom watchdog further said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information.
Some experts said the recommendation that mandates devices to allow consumers to delete even pre-installed apps or download any pre-certified app — without restriction — could force device makers such as Apple to change the contours of their content and privacy policies, if implemented by the government.
They, however, questioned whether the Department of Telecommunications (DoT) — to which the suggestions have been sent — has the ambit to frame laws to regulate apps, operating systems and browsers.
Telcos and internet service providers (ISPs) though welcomed recommendations that sought to bring app makers under the same regulations. However, content providers have been opposed to being brought under more regulation.
They say that they are already covered under the IT Act and that they should not be equated with telcos that operate in a different market. Any further regulation would stifle innovation, they said. Trai said wider checks were needed to protect consumers since most of the data is accessed through telecom networks.
“Unlike in the past, when the intelligence was residing in the telecom networks only and user devices were not intelligent, now, smart devices (including operating systems, browsers, applications etc) are increasingly playing a gate-keeping role over the network: they determine how users connect to and experience a network,” Trai said, explaining its recommendations, which were issued on Monday.
“As with telcos, all user data flows through these smart devices, putting the device manufacturers, browsers, operating systems, and applications etc. in a prime position to collect and process the personal information of users.” Since all user data passes through telcos and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities, Trai said. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained,”
Cellular Operators Association of India director general Rajan S Mathews said in an emailed release. “National security and privacy issues are of paramount importance. Accordingly, the regulator by making this recommendation, is ensuring that no exception is made for any service provider.” The regulator said all entities in the digital ecosystem that control or process personal data should be brought under a framework or notified rules to protect mobile phone users against misuse of their personal data.
“Till such time a general data protection law is notified by the government, the existing rules/ licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem,” it said. The government should notify the policy framework for regulation of devices, operating systems, browsers, and applications, it added.
ET had first reported on Trai’s plans to recommend the regulation of more entities including apps on April 13. The recommendations—which require DoT approval—come as the government works on its first data protection law. Trai chairman RS Sharma said that the recommendations will be sent to a committee headed by former Supreme Court judge BN Srikrishna, which is devising a framework for data protection in India.
“I'm not sure whether DoT is the right entity to provide a policy framework, as Trai puts it, for the regulation of applications, browsers, and operating systems,” said Pranesh Prakash, affiliated fellow of the Information Society Project at Yale Law School and fellow at Delhi's Centre for’Internet and Society.
INDUSTRY REACTIONS
While app makers have traditionally opposed any kind of additional regulation, Paytm chief operating officer Kiran Vasireddy welcomed Trai’s move.
“Our country is currently undergoing the formulation of a comprehensive data protection and security framework,” he said. “This will help set an important benchmark. Paytm has always stood up for data localisation and data sovereignty and will continue its efforts in this direction.”
Internet Service Providers Association of India (ISPAI) president Rajesh Chharia said Trai’s recommendations to extend the same rules as telcos and ISPs to digital ecosystem entities like browser developers and apps developers “will force them to take greater responsibility on this score, which is ultimately good for the consumer”.
In a recommendation that appears to be directed specifically at Apple, Trai has said that mobile phones or devices should disclose the terms and conditions of use before sale and have mandated that users can delete pre-installed apps and be able to download certified apps without restrictions.
These specific recommendations affect some operating systems such as Apple’s iOS, which doesn’t allow users to download any app they wish to, said Prakash. “But it is a question of software freedom and consumer rights more than data protection,” he said.
The iPhone maker has been involved in a spat for more than a year with Trai over the regulator’s demand for access to call logs and text messages that are required for filing complaints through Trai’s own do-not-disturb (DND) app.
Trai has been pushing Apple to allow the app on its devices, saying the move was in consumer interest but Apple has yet to accept this in its App Store, citing its privacy rules that do not allow third-party apps access to calls or messages.