India: TRAI says Personal Data belongs to Users, Telecom Companies mere custodians

August 17, 2018


Recently, Telecom Regulatory Authority (TRAI) gave noteworthy recommendations on ‘Privacy, Security and Ownership of Data in the Telecom Sector’. In the recommendations, the major recommended point was that the
users have the primary right over their personal information and the entities controlling or processing this data are mere custodians who should be brought under a data protection framework to protect consumers from the misuse of their personal data.

The recommendations assume significance as issues around data protection have come into the spotlight, and privacy concerns have amplified in the wake of the recent Facebook data leak fiasco.[1]

Some of the proposals given by TRAI in its 77 pages of recommendations are: [2]

  • All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.
  • To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data, should be brought under a data protection framework.
  • For the benefit of telecommunication users, a framework, on the basis of the Electronic Consent Framework, should be notified for telecommunication sector also. It should have provisions for revoking the consent, at a later date, by users.
  • Data Controllers should be prohibited from using “preticked boxes” to gain users’ consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
  • Devices should disclose the terms and conditions of use in advance, before sale of the device.
  • All entities in the digital ecosystem, including telecom service providers, should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.
  • The Right to Choose, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers.
  • The Government should put in place a mechanism for redressal of telecommunication consumers’ grievances relating to data ownership, protection, and privacy.

Cellular Operators Association of India’s Director General, Rajan S Mathews, said that ‘one of the positive take aways from the recommendations is that TRAI has talked about data privacy in the context of devices, operating systems, browsers and applications.’



For more information please contact us at :