Data must be encrypted even during storage: Trai
New Delhi: The Telecom Regulatory Authority of India declared on Monday that a user “owns” his personal information and Google, Facebook and Twitter, among others, are only custodians and don’t have primary rights over their data.
For this, the government should notify the policy framework for regulation of devices, operating systems, browsers and applications.
“The right to choice, notice, consent, data portability, and the right to be forgotten should be conferred upon telecoinmunication consumers,” Trai said. However, it also added that the “right to data portability” and the “right to be forgotten” are restricted rights, and these should be subjected to the applicable restrictions due to the prevalent laws.
Trai said that multilingual, easy-to-understand, unbiased, short templates of agreements/terms and conditions be made mandatory for all entities in the digital ecosystem for the benefit of consumers.
Also, companies should be prohibited from using “pre-ticked boxes” to gain users’ consent.
Clauses for data collection and purpose limitation should be incorporated in the agreements.
Mobile device makers should disclose the terms and conditions of use in advance, before sale of the device. It should be made mandatory for the devices to incorporate provisions so users can delete pre-installed apps if he/she so decides.
Also, users should be able to download the certified applications at his/her own will and the devices should in no way restrict such action by users.
“To ensure the privacy of users, a national policy for the encryption of personal data, generated and collected in the digital ecosystem, should be notified at the earliest,” Trai said.
It said for ensuring the security of personal data and the privacy of telecommunications consumers, personal data of consumers should be encrypted during motion as well as during storage in the digital ecosystem. Decryption must be permitted on a need basis by authorised entities in accordance with consumers’ consent or as per legal requirements.
“All entities in the digital ecosystem, including telecom service providers, should transparently disclose the information on privacy breaches on their websites along with the action taken for the mitigation and prevention of such breaches in the future,” Trai added.