Do all Indian regulators want a piece of the privacy pie? In 2017, the Supreme Court recognised a fundamental right to privacy in Puttaswamy vs Union of India, and the Centre constituted the Srikrishna Committee to help frame the country’s data protection law.
Even as we await this committee’s report, the Reserve Bank of India has mandated localisation of payment systems data (April 2018); the Centre’s e-commerce task force is deliberating data protection issues (April, 2018); and last week, the Telecom Regulatory Authority of India (TRAI) has issued recommendations on privacy, security and ownership of telecom sector data.
TRAI’s recommendations have left most stakeholders unhappy, including at least one senior member of the Srikrishna Committee. The telecom regulator has vacillated between making wide-ranging recommendations on data protection generally, ignoring their impact on non-telecom sectors on the one hand, and deferring to the Srikrishna Committee on the other. Nothing in the telecom regulator’s recommendations explains this inconsistency. Meanwhile, one can only make informed guesses about the direction that the Srikrishna Committee’s views will finally take. The committee’s provisional views, found in its year-old consultation paper, may contain some clues.
The Srikrishna Committee cannot ignore TRAI’s recommendations — not only are they sweeping and impact privacy as a whole, but also, telecom is a critical national infrastructure; TRAI is an important regulator; and the Telecom Secretary Aruna Sundarajan is herself a committee member. How then, do the telecom regulator’s views measure up against the committee’s provisional ones on key issues?
Applicability of the law
Both, TRAI and the Srikrishna Committee agree that the country’s current data protection framework is inadequate. They also agree that the data protection law should apply to entities regardless of where they are physically located, so long as they process the data of Indian residents/citizens.
What information should be protected under the law?
TRAI and the Srikrishna Committee have both opined that it is important to specify what information is protected under data protection law and what is not, although they disagree on the specifics. They both agree that the law should protect individuals’ personal data, but disagree on what personal data actually is. Under current Indian law, data which can be used to identify an individual is “personal data” and conversely, that which does not result in such identification is not personal data. TRAI is satisfied with this understanding, finding it to be in line with international standards. For the Srikrishna Committee, identifiability or the lack thereof is a false binary in a world of new technologies, and feels that the current approach is unworkable.
Who should be liable under the law?
TRAI and the Srikrishna Committee both appear to agree that the law needs to clearly spell out who is accountable for breaches of data protection standards, but differ on how this should play out in practice. Specifically, the Srikrishna Committee seems to be leaning towards holding only data controllers liable, while TRAI has adopted a more hardline stance and feels that data controllers, data processors and any other entity handling the personal data of the user should be made accountable for any unintended harm to users.
User rights and consent
Both, the telecom regulator and the committee agree that individuals should have core rights including notice and consent — the right to be notified of data collection and the right to consent to data collection. Other rights that both recognise for data subjects include the right to be forgotten and the right to data portability (both, in limited forms). The committee, however, has identified certain additional user rights, which are not a part of TRAI’s recommendations. These include the right of users to access and rectify personal data, the right to object to and restrict processing (including for direct marketing), and the right against decisions being made only by automated processing.
On the other hand, on data ownership, TRAI has gone a step beyond the Srikrishna Committee. While the latter has acknowledged the need to ensure that data subjects have “full power” over their data, TRAI has categorically said users own their personal information, whereas entities that control or process user data “are mere custodians” with no primary rights over user data. On consent specifically, TRAI’s recommendations go well beyond the Srikrishna Committee’s provisional views. In a set of recommendations that are likely to have impact across all sectors of the economy, TRAI has recommended that data controllers mandatorily disclose terms and conditions of use before the sale of devices and that they be barred from using “pre-ticked” boxes to gain consent. Further, the telecom regulator has recommended that a specific consent framework, along the lines of the Ministry of Electronics and Information Technology’s (MeitY) Electronic Consent Framework, be notified for the telecom sector.
Earlier, in 2016, the RBI was the first regulator in the country to adopt MeitY’s electronic consent framework via its master direction for account aggregators.
Data localisation
The Srikrishna Committee is of the opinion that data localisation requirements may be considered for certain sensitive sectors, but may not be advisable across the board. In particular, for the telecom sector, the committee has noted that requirements to locally store data in India might cause inconvenience to global telecom companies.
Interestingly, while TRAI has said that data is the new oil that would fuel economic growth, it has restricted itself to a general analysis on the merits and demerits of mandatory data localisation, without issuing concrete recommendations, citing that these issues are pertinent to all sectors of the economy.
TRAI’s vacillation aside, its privacy recommendations are the first that we have seen from a regulator, post Puttaswamy. Whatever are the Srikrishna Committee’s final recommendations on the issues mentioned above, it is certain that sectoral regulators including TRAI, RBI, and others, will play a crucial role in shaping India’s data protection law in the years to come.
While we will no doubt see a country-wide data protection law, operationalising it in different sectors will be the responsibility of the respective regulators. Given this, TRAI’s recommendations are a useful insight into the regulator’s thinking.
Chaudhari heads public policy practice at TRA Law and Joshi is policy associate .