TRAI recommendations on data protection ; posts Featured article about TRAI recommendations on data protection

TRAI recommendation on data protection will benefit end users in India

The Telecom Regulatory Authority of India (TRAI) released their Recommendations on Privacy, Security and Ownership of Data (the Recommendations) in context of the telecommunication domain.The Srikrishna Committee is entrusted with formulating the data privacy framework for India.

Definition of Telecommunications:

TRAI defined the telecommunication environment as a digital ecosystem involving multiple entities such as Devices, Telecom Service Providers (TSPs), Communication Networks Browsers, Operating Systems, Applications, Over-the-Top (OTT) service providers, etc.

Important recommendations:

1. Personal Data and Data Ownership:

  • The recommendations do note the absence of any specific legislation on data privacy. The Recommendations, while analyzing the definitions provided in the IT Act, note that the definitions of ‘data’, ‘personal information’ and ‘sensitive personal data or information’ provided in the IT Act, are similar to the provisions of the EU General Data Protection Regulations (GDPR).
  • It positively acknowledges the consistency between the Indian laws and foreign regulations, and observes that the scope of personal data as defined in the IT Act and the GDPR is fairly broad, and does not require any further changes.
  • It clarified that the ownership of such personal data lies with the individuals with whom the data in question relates to.
  • It also considers entities processing or controlling such data to be mere custodians, and as such, have no primary rights over such data.
  • It states that ownership of the data lies with the user with whom the data is related with.

2. Sufficiency of existing Data Protection Framework:

  • It notes the challenges posed by use of smart mobile devices and advent of newer technologies like Over-the-Top (OTT). Since neither such services, nor such a device is covered any telecommunication license, the obligation which is application to a telecommunication service provider would not be applicable on such entities.
  • It propose that all entities which operate within the telecommunication environment be brought within the purview of the telecommunication regulations, till a specific legislation on data protection is put in place. As a result, TRAI would have authority over all such entities.
  • There is nothing in the telecommunication legislation that allows that such power can be granted to TRAI.

3. User Consent:

  • It also propose that user’s explicit consent for their personal data to be used, be obtained prior to the data being used.
  • It seeks to provide the users with the right of choice, notice, consent, data portability and the right to be forgotten.
  • It proposes consent mechanisms with varying levels of granularity in choices to be provided to the users by the service providers. Such choices are to be explicitly presented to the user before any data is collected. This is likely to provide more control to the user, and permit any user to determine to what extent their personal data may be collected and used.

4. Data Security:

  • Data security is paramount to ensure that the data remains secure and resistant to unwanted intrusions.
  • For data security, the recommendations have suggested that the encryption standards which are present in the telecommunication license agreement entered be re-examined by the Department of Telecommunication.


  • It is not clear whether the Telecom Regulatory Authority of India Act, 1997 empowers TRAI to include any entity operating in the telecommunication environment.
  • In absence of such powers, implementation of the present Recommendations will always be open for a legal challenge.



This site uses Akismet to reduce spam. Learn how your comment data is processed.