Given that the Justice BN Srikrishna panel on data privacy is supposed to be submitting its report any time now, after which a privacy law will be framed by the government, it is not quite clear why the telecom regulator, Trai, has come out with its recommendations on data privacy/security/ownership; all aspects of the subject, after all, will be covered by Srikrishna. Indeed, it is not clear how Trai expects the government to ‘notify the policy framework for regulation of devices, operating systems, browsers and applications’ since Srikrishna’s mandate is to come up with this very data protection framework. And, since a new law has to come in place anyway, it makes little sense to, in the interim, mandate that the privacy rules that apply to telcos ‘be made applicable to all the entities in the digital ecosystem’ as Trai suggests.
That said, Trai’s broad formulations are on the right track and, going by the paper put out by the Srikrishna panel for discussion last year, the panel will also offer solutions along similar lines. So, after reiterating the need for pretty basic principles like the right to data portability and the right to be forgotten, Trai says that data controllers—a PayTM, a WhatsApp or even a YouTube—must be prohibited from using ‘pre-ticked boxes’ to get user-consent and suggests that the consent mechanism be made a lot more granular than it is today. This is what Srikrishna had termed ‘consent fatigue’ in its discussion paper, a term used to describe users getting confused by long and convoluted consent forms.
In the event, the Srikrishna panel is likely to come up with certain rules—for instance, no agency will collect more data than it requires (Trai calls this ‘data minimisation’) and it will have to explain why this is being collected. Why does every app you download, for instance, want to have access to your address book, calendar, location, etc? It is critical for Uber to know where you are in order to send a cab, but does it need to store this information or pass it on to someone else who will target you with, say, advertisements based on the places you visited? PayTM needs access to your contacts to be able to make payments to them, but it should be restricted to just that; and, more importantly, should you choose not to give access, in most cases, the apps simply don’t work. Srikrishna also envisages having a data protection agency to enforce these rules/guidelines with the help of a data protection officer in each organisation whose job it will be to ensure the guidelines are followed. Trai, similarly, is right in saying the department of telecommunications needs to re-examine its encryption standards—if encryption standards are not high, how is data to be protected when it is being used or even stored? Since the rules/framework mean little unless they can be enforced, ensuring that all data resides in India is critical—another option is to allow the data to be sent overseas but to mandate that a copy be kept in Indian servers.
Trai’s argument that each citizen ‘owns’ her personal information or data collected, however, is quite problematic, though it is easy to understand the thinking behind it. If each citizen ‘owns’ her data, the logical corollary is that there will be a ‘market’ where such data is bought and sold. Once this becomes the norm, and, say, company A offers a discount on shopping—or plain cash—to ‘buy’ someone’s data, it is very problematic to track whether the data being sold by it to a third party actually ‘belongs’ to company A. Of course, whether we use Trai’s formulation or Srikrishna’s, protecting privacy is a complex, and constantly evolving task—and no matter how many rules are laid out, decades of legal challenges/suits will play a role in how this finally pans out.