CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part I

TRAI published a Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector (Consultation Paper) on August 9, 2017.

Since then, the Supreme Court of India has affirmed that the right to privacy is a fundamental right under the Indian Constitution, in a detailed judgment in Puttaswamy v. Union of India[1]. The Ministry of Electronics and Information Technology (MEITY), Government of India has also set up a Committee of Experts (COE) to identify key data protection issues in India and recommend methods of addressing them[2]. The COE was also expected to suggest a draft data protection bill.

The COE has now drafted a white paper to solicit public comments on the shape that India’s data protection law must take.

With so many discussions on the state of the right to privacy and data protection laws in India, it is clear that there is an immediate need for better laws and regulations on privacy and data protection in India, in the telecom sector as well as other sectors.

The Centre for Communication Governance (CCG) responded with comments to the TRAI Consultation Paper earlier this month (see our full response here or here).

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI, in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. We also highlight those sections of our responses and recommendations that relate to issues and questions discussed in the COE’s white paper.

In today’s post, the first of the series, we highlight the background against which we have provided our responses and recommendations.

1.     Privacy as a Fundamental Right

The Supreme Court in Puttaswamy v. Union of India[3] has affirmed and recognised that the right to privacy is a fundamental right under Article 21 of the Constitution. It may also be drawn as a fundamental right under any of the other fundamental rights recognised under the Constitution. Accordingly, the Court has observed that although the right is not absolute, any restrictions imposed by the State on the right to privacy must be ‘reasonable restrictions’. These reasonable restrictions must meet the various tests for limitations / violations of the right, applicable in relation to the relevant fundamental rights. At the same time, the Court has also noted that there is a positive obligation for the state to create a regulatory environment that allows individuals to enjoy their right to privacy.

In recognising privacy as a fundamental right, J. Chandrachud, J. Chelameswar, J. Kaul and J. Nariman have, in their various opinions have observed that informational privacy is an important aspect of such privacy in this day and age. J. Chandrachud has noted the setting up of the Committee of Experts, and recommended that the central government puts in place a robust data protection regulation in place in order to protect this right.

In the observations that lead up to his conclusions, J. Chandrachud has also noted that data protection regulation is a complex issue which needs to address many aims[4]. The first of these aims is the individual’s right to be left alone. Second and more importantly, the regulation needs to ensure that the individual’s identity is protected. Third, the individual’s autonomy in making decisions about the use of data about them, and their right to know how this data is being used must be protected. Fourth, data protection regulation should ensure that data is not collected in a manner that is discriminatory towards anyone.

2.     Current data protection laws

Our assessment is that the current data protection rules are insufficient to protect the interests of data subjects, including telecom subscribers.

The Consultation Paper has at various points referred to the report of the Group of Experts, headed by (Retd.) Justice A. P. Shah, in 2012 (GOE Report)[5]. We note that this GOE report found the various data protection rules that are currently applicable, inadequate[6]. The GOE Report has examined best practices and principles of data protection laws across the world, and recommended the incorporation of a set of 9 national privacy principles in any proposed privacy law[7]. The GOE Report has then gone on to find that the existing data protection regulations do not meet the requirements set forth in these principles[8].

The existing data protection laws, including particularly the provisions under the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under the IT Act (IT Rules) have also been criticised by industry and civil society members alike[9]. The IT Rules are ambiguous and do not properly define the roles and responsibilities of data controllers and processors[10]. There is no clarity on the nature of the data that the rules are applicable to. Further, the provisions under the IT Act do not provide for penalties or consequences for failure to comply with the IT Rules, and provide only a compensation mechanism that is difficult to enforce[11].

We are in agreement with the part of Consultation Paper which points out that some of the principles set out in the GOE Report may need to be reformulated in today’s age of big data[12]. However, we note that the data protection regulations fall short even of the outdated standards set forth in the principles listed by the GOE Report. More work will be necessary to define new standards and develop strategies to ensure that data protection framework meets these standards.

[1] Writ petition (civil) no 494 of 2012, (2017)6MLJ267
[2] Office Memorandum No. 3(6)j2017-CLES, available at  http://meity.gov.in/writereaddata/files/MeitY_constitution_Expert_Committee_31.07.2017.pdf (last visited on November 5, 2017)
[3] Writ petition (civil) no 494 of 2012, (2017)6MLJ267
[4] Paragraphs 177 and 178, J. Chandrachud’s opinion, Puttaswamy v. Union of India (2017)6MLJ267
[5] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf (last visited on November 5, 2017)
[6] Report of the Group of Experts on Privacy, Chapter 4
[7] Report of the Group of Experts on Privacy, Chapter 3
[8] Report of the Group of Experts on Privacy, Chapter 4
[9] Outsourcing: India adopts new privacy and security rules for personal information, available at https://www.lexology.com/library/detail.aspx?g=9a9b9ec0-e390-45b8-a6f1-4363e29e9af3 (last visited on November 5, 2017); and Bhairav Acharya, Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, available at https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011 (last visited on November 5, 2017)
[10] Smitha Krishna Prasad, Draft white paper on the IT Act and the data protection rules, (to be published, and available on request)
[11] Smitha Krishna Prasad, Draft white paper on the IT Act and the data protection rules, (to be published, and available on request)
[12] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9

Unable to display Facebook posts.
Show error

Error: Error validating access token: The user has not authorized application 1332798716823516.
Type: OAuthException
Code: 190
Subcode: 458
Please refer to our Error Message Reference.