[ad_1]
The discourse of technology policy circles in Delhi these days concerns delays in the publication of the Srikrishna Committee's report on data confidentiality : Do they release a law, or are it it only recommendations? Were the recommendations delayed because the committee is now undecided about the location of the data, given the reaction to the apparently unexpected RBI diktat regarding the location of financial transaction data ? The faction iSpirt / UIDAI / 'Nandan-Nilekani & # 39; Is the Srikrishna Committee digging deeper about the location of the data?
Or do not they want it to affect Aadhaar and Judge Srikrishna? Is there any interest in the Srikrishna Committee, since the bill may never be introduced: the opposition can not let the Monsoon session take place in Parliament, and there is very little chance to work during the winter session? The recommendations of TRAI are very important, especially since the President TRAI is the former CEO of UIDAI, the fact that TRAI has accepted this consultation suo moto, and we talk about him in the lead of India. data protection authority after the end of his tenure at TRAI
These recommendations are seen as a signal for what should come from the Srikrishna Committee
Image of representation.
Questions that TRAI Avoided
Before entering what the TRAI recommended I think it's worth looking at what the TRAI avoided speaking:
- Data Localization,
- Cross-
- Legitimate Exceptions to Privacy,
- Lawful Interception,
- Responsibilities of Data Controllers and Technological Audits
These are all contentious topics and, from what we heard, a lot of pressure from law enforcement agencies, for access to user data. TRAI, which has been particularly focused on consumer interests, has avoided entry into certain potential minefields.
More importantly, she did not address the issues of mbad surveillance and prevention. In saying that the privacy protection framework is being developed, "the Administration has decided to make no recommendation".
… everything that TRAI covered in this document is part of the privacy protection framework under development. This is not a sufficient reason for TRAI to withdraw from its comments while commenting on everything else. Somewhere in the document, he says that "since data is collected by both private and governmental entities, the data protection framework should be applicable to both government and private entities", which is This is a welcome development, but TRAI has done a fairly decent badysis of cross-border data flow and data location issues without taking a stand. 19659002] Recommendations TRAI on privacy and data protection
1. Ownership of personal data:
- Each user has his personal information / data collected by / stored with the entities of the digital ecosystem. Entities, controlling and processing such data, are mere custodians and have no primary rights to these data.
The TRAI says that data is not just a property and "… appears illogical / unfair to allow a complete transfer of rights over an individual's personal data." would imply that personal data can no longer be used / accessed by data owners – a situation that is clearly untenable. In these circumstances, it must be recognized that if data controllers can actually collect and process personal data, they must be subject to various conditions and obligations – including the explicit consent of the individual, using the personal data only for identified purposes. The entity that controls the personal data would be responsible for compliance with the data protection standards. "
TRAI recommended a study to formulate standards for the anonymization and disidentification of personal data and further stated that
- All entities in the ecosystem who control or process the data, should be prevented from using metadata to identify individual users. [19659014] How does the TRAI exactly expect that all the entities of the Digital ecosystem be prevented from using metadata to identify individual users?
2. Competence of TRAI Recommendations:
Two Aspects of TRAI Recommendations Appear to Go beyond his powers, he says:
- Until a general law on data protection is notified by the government, the existing rules / conditions of licenseapplicable to TSPs for the protection of users' privacy be applicable to all entities in the digital ecosystem . To this end, the government should notify the policy framework for the regulation of devices, operating systems, browsers and applications.
These recommendations, together with recommendations for devices that allow users to remove pre-installed applications, and previous comments by the TRAI Chair regarding devices in the telecommunications ecosystem, appear to be intended to extend the competence of TRAI beyond telecommunications. Remember that when this document came out, it seemed more on the Internet than telecommunications, and we had pointed out that the TRAI does not have Internet jurisdiction. There is no doubt that these recommendations are well-intentioned, but privacy is not really part of the remit of TRAI or DoT. This should be with Meity, in the absence of a data protection authority.
A positive development is TRAI's suggestion of TRAI:
- Since the data are collected by private and governmental entities, the data protection framework should be applicable to both government and government. To private entities.
R Sharma S, Head of the Telecommunications Regulatory Authority of India (TRAI). Image: Reuters
3. Data Minimization and Privacy by Design:
- The concept of confidentiality by design should apply to all entities in the digital ecosystem: service providers, devices, browsers, operating systems, applications, etc. "Data minimization" should be inherent to the implementation of the concept of confidentiality by design. Here, "data minimization" refers to the concept of collecting the minimum necessary data that is essential to provide this particular service to consumers.
4. Portability and Deletion of Data
- The right to portability of data and the right to be forgotten are restricted rights, and the should be subject to restrictions as a result of the laws in force in this respect. The TRAI here seems to confuse the right to be forgotten, which refers to the removal of the search engine index with the deletion of the data. That said, allowing users to delete telecom data and transfer their data (not just from their numbers) is a welcome initiative.
5. Notice and Consent
This is a big one. As we discussed, consent is broken, and TRAI recommended that for telecommunications users,
5.a Consent Mechanism on the basis of Meity's electronic consent framework ]
- "In order to ensure sufficient choices for users of digital services, the granularities in the consent mechanism should be integrated by the service providers." Apart from this, TRAI recommended that a framework, "on the basis of electronic consent The framework developed by MeitY and the framework directive for fiduciary data (aggregator of accounts) issued by the Reserve Bank of India, should also be notified for the telecommunications sector and should include provisions for revoking the consent of users at a later date.
5b Multilingual agreements: TRAI recommended that the agreement / the terms and conditions are "multilingual, easy to understand, unbiased, short models" for "all entities of the digital ecosystem"
5c No pre-ticked boxes :
- Data Controllers Should Not Use "Pre-Checked Boxes" to Obtain User Consent Clauses for Data Collection and Limitation of Finality should be incorporated in the agreements.
5d. Devices and Consent:
- (g) Devices should disclose the terms and conditions of use in advance, prior to the sale of the instrument [19659010] (h) It should be made mandatory for devices to incorporate provisions allowing the user to delete those preinstalled applications that are not part of the basic features of the device. he decides that way. In addition, the user should be able to download the certified applications on his own will and the devices should in no way restrict these actions by the users.
6. This is one of the problems we had raised at the open house on privacy: Data sent over telecommunications networks is not secure, and we need strong privacy recommendations to ensure the security of this data. The TRAI recommends that:
- To ensure the confidentiality of users, the national policy of encrypting personal data, generated and collected in the digital ecosystem, should be notified by the government at the earliest.
- To ensure the security of personal data and the privacy of telecommunications consumers, the personal data of telecommunications consumers must be encrypted during the movement as well as during storage in the Internet. 39, Digital Ecosystem [19659010] Decryption should be permitted where necessary by authorized entities in accordance with the consent of the consumer or as required by law.
This is a very welcome suggestion from TRAI, and it is high time that this question was addressed. That said, given the mess of the latest version of the encryption policy (now withdrawn), it should be examined carefully.
Image of representation. Reuters.
7. Violation and notification
- All entities in the digital ecosystem, including telecommunication service providers, should be encouraged to share information about vulnerabilities, threats, etc., in the ecosystem / organizations. digital networks to mitigate losses and prevent the repetition of such events. All entities in the digital ecosystem, including telecommunication service providers, should transparently disclose information about breaches of privacy on their websites, as well as measures taken to mitigate and prevent them. in the future.
- Sharing information relating to data breaches by all entities in the digital ecosystem, including telecommunication service providers. It should be mandatory for all entities in the digital ecosystem, including all these service providers, to be part of this platform.
- Data security breaches may occur despite the adoption of best practices / necessary measures and processors. Sharing information about data breaches should be encouraged and encouraged to prevent / mitigate such incidents in the future.
This is a measured approach: a problem with notifications of violation is that raped businesses are afraid of harbadment. law enforcement agencies. It's a tricky thing to manage: at one level, it's important to make sure that companies are trying to protect users' data, and that penalties are a way to ensure that They behave responsibly. At another level, the fear of penalties (and loss of business) prevents companies from disclosing violations to law enforcement and clients.
Overall, these recommendations are welcome from TRAI.
MediaNama .
[ad_2]
Source link