The TRAI Recommendations on Privacy

This piece reviews the Telecom Regulatory Authority of India (TRAI) recommendations on “Privacy, Security and Ownership of Data in the Telecom Sector” released on July 16, 2018 (Recommendations) and attempts to highlight some of their more immediate potential consequences.

Consultations are typically taken up by TRAI based on requests from the Department of Telecommunications (DoT). In the instant case, the TRAI has atypically put out the consultation and subsequently the Recommendations of its own volition, without an explicit mandate on the subject.

TRAI recommendations are approved and implemented by the DoT pursuant to the procedure under Section 11 of the TRAI Act, 1997. This process may involve the DoT seeking clarifications, modifications or otherwise referring items back the TRAI.

This process may turn out to be more complex in connection with the current set of Recommendations, given that much of their content recommends the passing of broad-ranging new legislation that is not limited to only the telecom sector.

In arriving at the Recommendations, TRAI has analysed several aspects surrounding general data protection regulation before concluding that the committee of experts appointed by the Ministry of Electronics and Information Technology (MEITY), and headed by retired Justice B.N. Srikrishna[1], will introduce a draft bill regulating data protection and privacy across sectors.

The Recommendations examine the existing rules and licence conditions applicable to telecom service providers (TSPs) and conclude, based on an examination of the statutory[2], licensing[3] and standards[4] framework currently applicable to them, that the said framework is sufficiently robust.

The Recommendations then recommend an expansion of the above framework to regulate all participants in a “digital ecosystem”, which they define expansively to include TSPs, personal devices (mobile handsets, tablets, personal computers), machine-to-machine devices, communication networks (receiver stations, routers, switches), browsers, operating systems, over-the-top service providers, applications etc. (collectively referred to as “Entities”).

Specific Recommendations on TSP Practices

Within this context, the Recommendations identify certain aspects specific to TSP regulation that can be revised. These recommendations are particularly relevant to note, as the DoT secretary has indicated that such recommendations will be useful in deciding the final policy.[5] They can be operationalised in a fairly straightforward manner by the DoT, through a simple amendment of the conditions in the unified licence (UL) agreement between the government and TSPs.

These include:

  1. Encryption: the Recommendations indicate that encryption standards applicable to TSPs need to be aligned to the needs of other sectors. This may serve to address the current lack of uniformity across sectors with respect to encryption standards. The Recommendations make reference to the DoT mandate to limit encryption to a 40-bit standard. TRAI has recommended that the DoT should revise this standard to bring about uniformity and greater security. Such encryption is recommended for the storage of data as well as during transfer of data. Separately the Recommendations also suggest a national policy on encryption of personal data, a power not afforded to the DoT.
  2. Consent: the Recommendations identify user consent as a key gap in the current legal framework applicable to TSPs. TRAI recommends the “Electronic Consent Framework”[6] (Consent Framework) developed by MEITY, and the Non-Banking Financial Company- Account Aggregator (Reserve Bank) Directions, 2016[7], as useful guides to developing a user consent framework. The latter document enables consumers to use past financial data, which TRAI highlights to support its claim that a similar consent framework is needed for allowing TSPs to handle user data. MEITY’s Consent Framework describes technical infrastructure that enables secure collection of user information based on consent provided by said user. This architecture is intended to allow secure sharing of user data as there are operational restrictions on access to actual user information even while the consent element remains publicly accessible.
  3. Data Minimisation and Purpose Limitation: the Recommendations require that Entities collect data only to the minimum extent necessary for provisioning services to data subjects. They further state that Entities must restrict usage of collected data only to the stated and specific purpose for which consent has been obtained at the time of collection. The above principles already find some parallel in the provisions of the UL agreement[8] and The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009. Conceivably, this regime can be expanded upon and integrated with the existing restrictions around collection, storage and processing of network or traffic data.
  4. Data Breach Notification: The Recommendations state that all Entities should be encouraged to share information regarding vulnerabilities and threats in the digital ecosystem. Further, Entities should disclose any instance of a privacy breach on their website. A common platform for all Entities to report security breaches is recommended. Entities are to be encouraged to share information relating to such instances of privacy and security breaches.

While the above Recommendations of the TRAI are straightforward in their implementation, others may prove more complicated to enforce, particularly given the wide-ranging nature and number of ministries and regulators, which may need to align in order to implement them.


[1] Notification on appointment of committee of experts to study data protection; accessible at http://meity.gov.in/writereaddata/files/meity_om_constitution_of_expert_committee_31072017.pdf.

[2] IT Act, 2000 (Sections 43A, 69, 69B, 72A, 67C, and 79); IT Rules; Indian Telegraph Act, 1885 (Sections 5, 26); and Indian Telegraph Rule 419A.

[3] UL conditions 37, 38, 39, and 40.

[4] ISO27001 or sectoral-standard (Information Technology Act, 2000); ISO/IEC 15408 for network elements (UL condition 39.6); ISO 27000 for management (UL condition 39.7); 3GPP2 security standards: (UL condition 39.7); and incorporation of contemporary security standards: (UL condition 39.8).

[5] “DoT to take up only relevant TRAI recommendations on data privacy”, ET Telecom, July 19, 2018; accessible at https://telecom.economictimes.indiatimes.com/news/dot-to-take-up-only-relevant-trai-recommendations-on-data-privacy/65048533.

[6] Accessible at http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf.

[7] Accessible at https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD46859213614C3046C1BF9B7CF563FF1346.PDF.

[8] UL condition 37.2.