In Digital Ecosystem, Telecom Users Have Right Over Personal Data, Companies Are Mere Custodians, Says TRAI [Read Report]

In Digital Ecosystem, Telecom Users Have Right Over Personal Data, Companies Are Mere Custodians, Says TRAI [Read Report]

Telecom watchdog Telecom Regulatory Authority of India (TRAI) has said users have the primary right over their personal information while entities controlling or processing this data are mere custodians who should be brought under a data protection framework to protect consumers from misuse of their personal data.

“Each user owns his/ her personal information/data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data,” TRAI said in its recommendations to the Department of Telecom.

“The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers,” it said while also recommending that “in order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers”.

It also said the existing framework for the protection of the personal information/data of telecom consumers is not sufficient and suggests that the government should notify policy framework for regulation of devices, operating systems, browsers and applications.

TRAI’s recommendations on "Privacy, Security and Ownership of Data in the Telecom Sector" come after it suo motu issued a Consultation Paper on August 9, 2017, followed by an open house discussion before formulating the recommendations.

Some of the recommendations made by TRAI are as under:



  • Each user owns his/her personal information/data collected by/stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.

  • A study should be undertaken to formulate the standards for anonymisation/de-identification of personal data generated and collected in the digital eco-system.

  • All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.

  • The existing framework for protection of the personal information/ data of telecom consumers is not sufficient. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.

  • For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework developed by MeitY and the master direction for data fiduciary (account aggregator) issued by Reserve Bank of India, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users. The Right to Data Portability and Right to be Forgotten are restricted rights, and the same should be subjected to applicable restrictions due to prevalent laws in this regard.

  • Data Controllers should be prohibited from using "preticked boxes" to gain users’ consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.

  • Devices should disclose the terms and conditions of use in advance, before sale of the device.

  • It should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed applications if he/she so decides. Also, the user should be able to download the certified applications at his/her own will and the devices should in no manner restrict such actions by the users

  • All entities in the digital ecosystem, including telecom service providers, should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.

  • A common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem, including all such service providers to be a part of this platform.


Read the Recommendations Here