The Telecom Regulatory Authority of India (Trai) on Monday suggested that pending a notification of a general data protection law by the government, the existing regulatory laws applicable to telecom players be made applicable to all entities in the digital ecosystem to strengthen privacy of users’ data. What this means is that the regulator has urged the government to notify a policy framework for regulation of devices, operating systems, browsers and applications in the same manner as mobile operators are regulated currently.
Simply put, as currently there are regulations and laws which mandate telcos as to how they they can store call data records of subscribers, Trai wants that the government also regulates all consumer data stored in the cloud by devices, operating systems, browsers and applications. If the subscriber wants that his data be deleted from the cloud, then the regulation should ensure this.
The recommendations by Trai were drawn suo motu after consulting stakeholders and forwarded to the department of telecommunications.
Analysts are a little sceptical as to how Trai will be able to achieve this purpose because the storage on cloud happens outside the country by most device makers and operating systems and they do not have servers within the country.
In such a scenario, how Trai expects the government to ensure that if it makes a law it would be adhered to is not clear since Trai has not talked about storing data locally, which means that servers are brought within the country.
The larger issue of data privacy and local storage and the like is being looked at by a committee set up by the government under retired justice BN Srikrishna, based on which the government plans to frame a law. Trai’s recommendations are meant to act as inputs for the committee.
Trai has recommended that devices, operating systems and apps be brought under regulation because currently the regulator regulates only telecom players and not these entities. However, Trai has nowhere said it should be vested to regulate these added entities and it is up to the government as to how it regulates them.
Analysts said another problem with the Trai recommendation is that if the government chooses to go by it, it would have to make laws twice, one now and later when the Srikrishna committee report comes.
Pointing out that existing regulations protecting the personal data of telecom subscribers are insufficient, Trai said entities controlling and processing this information are merely custodians and not owners.
As part of its regulatory measures it has suggested making it mandatory for devices makers to incorporate provisions allowing users to delete pre-installed applications on their device as well to be able to download certified apps at his or her own will and that the devices should in no manner restrict such actions.