Essential Steps to Protect Telecom DataPractitioners Discuss the Feasibility of TRAI's Data Protection Framework
The Telecom Regulatory Authority of India has recommended that the nation's telecom companies take specific steps to protect their customer's data. Those include taking a "privacy by design" approach and focusing on data minimization, collecting as little data as possible.
Other recommendations include improving data breach information sharing, having the government establish data sandboxes, re-examining encryption standards and considering the granting of specific consumer privacy rights, including the right to be forgotten.
TRAI had issued a consultation paper, "Privacy, Security and Ownership of the Data in the Telecom Sector" last year with the objective of identifying key data protection issues in the delivery of digital services through telecommunication systems. Based on the response to that paper, it has identified priority steps telecom companies should take.
The authority stresses that that consumers own their data and that entities controlling or processing their information are "mere custodians and do not have primary rights over this data."
"India is the world's largest telecom market where a huge amount of data is being created, and hence must have a robust framework for protection of users," says R.S. Sharma, chairman of TRAI.
TRAI says "privacy by design" principles should be applied throughout the digital ecosystem to hardware and software alike.
The regulator urges telecom companies to practice "data minimization," collecting only the bare minimum amount of data that's essential for providing a particular service.
Adopting a privacy by design approach "would require training of software and hardware security architects, and the regulator should ensure all telecom companies adhere to this, says Prashant Mali, Bombay High Court lawyer and cybersecurity expert.
But Mumbai-based privacy and legal consultant, Vicky Shah says implementing a privacy by design approach is difficult because telecoms use so many devices and applications that are manufactured by others.
Support for building in privacy and security by design is growing as a result of the explosion of such new technologies as such artificial intelligence and the internet of things, says Latha Reddy, co-chair of the Global Commission on the Stability of Cyberspace and former deputy national security and cybersecurity adviser of India.
But she contends that it's tough and expensive for companies to retroactively fit security into design to comply with the EU's General Data Protection Regulation and TRAI's recommendations.
TRAI sees a need for the government to set up data sandboxes for development of newer value added services.
A data sand box is an entity that anonymizes data sets, which then can be utilized by service providers and businesses to design new products and services for the benefit of customers and growth of their businesses, TRAI says.
Some critics argue that that the government should set up a data sandbox only if entities participate on a voluntary basis. And they argue that only raw data should be shared, not processed or analyzed data.
Mali argues that sandboxes are not a proven nor tested ways of addressing privacy and security.
TRAI stresses in its recommendations to telecom companies that the timely sharing of data breach information with consumers and various entities in the digital ecosystem is essential to mitigate losses and prevent their future occurrences.
TRAI suggests having a system of voluntary disclosure of information between the entities along with incentives/rewards for such sharing.
"We are saying that when data breaches take place, you should not try to hide that," TRAI's Sharma says in a recent interview. "Share it. Similarly, share best practices as well. We are recommending the creation of a platform for awareness and sharing of breaches when it happens. ... Security does not come from obscurity. You can't create such silos where you don't share information because then other people will have to reinvent the wheel."
Mali would like the government to mandate a breach disclosure policy and establish strong penalties for failure to disclose.
For now, TRAI recommends that all telecom service providers be required to use a platform for sharing of real-time information about possible threats and vulnerabilities. That would help facilitate plugging of gaps in systems, assist with the identification of best practices, the authority says.
TRAI says consumers are owners of their data and that entities controlling and processing their information are "mere custodians and do not have primary rights over this data."
In the context of data ownership, TRAI has for the first time endorsed India support the "right to be forgotten," which is also a key provision in the EU's GDPR. It says consumers in India should have the right to ask that their data be deleted.
For ensuring the security of the personal data and privacy of telecommunication consumers, TRAI suggests the department of telecom require that data is encrypted while in motion as well as at rest, or in storage.