Given that the Justice BN Srikrishna panel on data privacy is supposed to be submitting its report any time now, after which a privacy law will be framed by the government, it is not quite clear why the telecom regulator, Trai, has come out with its recommendations on data privacy\/security\/ownership; all aspects of the subject, after all, will be covered by Srikrishna. Indeed, it is not clear how Trai expects the government to \u2018notify the policy framework for regulation of devices, operating systems, browsers and applications\u2019 since Srikrishna\u2019s mandate is to come up with this very data protection framework. And, since a new law has to come in place anyway, it makes little sense to, in the interim, mandate that the privacy rules that apply to telcos \u2018be made applicable to all the entities in the digital ecosystem\u2019 as Trai suggests. That said, Trai\u2019s broad formulations are on the right track and, going by the paper put out by the Srikrishna panel for discussion last year, the panel will also offer solutions along similar lines. So, after reiterating the need for pretty basic principles like the right to data portability and the right to be forgotten, Trai says that data controllers\u2014a PayTM, a WhatsApp or even a YouTube\u2014must be prohibited from using \u2018pre-ticked boxes\u2019 to get user-consent and suggests that the consent mechanism be made a lot more granular than it is today. This is what Srikrishna had termed \u2018consent fatigue\u2019 in its discussion paper, a term used to describe users getting confused by long and convoluted consent forms. In the event, the Srikrishna panel is likely to come up with certain rules\u2014for instance, no agency will collect more data than it requires (Trai calls this \u2018data minimisation\u2019) and it will have to explain why this is being collected. Why does every app you download, for instance,\u00a0want to have access to your address book, calendar, location, etc? It is critical for Uber to know where you are in order to send a cab, but does it need to store this information or pass it on to someone else who will target you with, say, advertisements based on the places you visited? PayTM needs access to your contacts to be able to make payments to them, but it should be restricted to just that; and, more importantly, should you choose not to give access, in most cases, the apps simply don\u2019t work. Srikrishna also envisages having a data protection agency to enforce these rules\/guidelines with the help of a data protection officer in each organisation whose job it will be to ensure the guidelines are followed. Trai, similarly, is right in saying the department of telecommunications needs to re-examine its encryption standards\u2014if encryption standards are not high, how is data to be protected when it is being used or even stored? Since the rules\/framework mean little unless they can be enforced, ensuring that all data resides in India is critical\u2014another option is to allow the data to be sent overseas but to mandate that a copy be kept in Indian servers. Trai\u2019s argument that each citizen \u2018owns\u2019 her personal information or data collected, however, is quite problematic, though it is easy to understand the thinking behind it. If each citizen \u2018owns\u2019 her data, the logical corollary is that there will be a \u2018market\u2019 where such data is bought and sold. Once this becomes the norm, and, say, company A offers a discount on shopping\u2014or plain cash\u2014to \u2018buy\u2019 someone\u2019s data, it is very problematic to track whether the data being sold by it to a third party actually \u2018belongs\u2019 to company A. Of course, whether we use Trai\u2019s formulation or Srikrishna\u2019s, protecting privacy is a complex, and constantly evolving task\u2014and no matter how many rules are laid out, decades of legal challenges\/suits will play a role in how this finally pans out.