MUMBAI (NewsRise) -- India got its first taste of data privacy rules after the telecommunication regulator proposed guidelines covering areas such as security and data ownership that would apply to all companies that either offer a mobile network or use one to reach their audience.
The Telecom Regulatory Authority of India's recommendations, released Monday, drew mixed reactions. While some said rules were necessary given the spurt in smartphone use and in the number of data breaches in the country, others questioned the scope of TRAI's guidelines and the timing.
A panel led by B.N. Srikrishna, a former Supreme Court judge, is now in the final stages of drafting India's privacy regulations, including defining accountability and penalties for violations for all sectors.
TRAI said its proposals, formed after a lengthy consultation process, were an interim measure. In its release, it asked the government to bring devices, operating systems, browsers and applications under licensing conditions that apply to telecom service providers and mandate users' privacy. The regulator also said it would update the conditions to conform with any broader law that may be passed later.
TRAI's guidelines need to be approved by the government. Should they take effect, the rules would apply not only to local players like e-commerce merchant Flipkart and telecom operator Reliance Jio but also foreign giants such as Facebook, Google and Amazon.
"It is good that TRAI is taking the lead" in creating a regulatory framework for the sector, said Amber Sinha, privacy expert at Bengaluru-based thinktank Center for Internet and Society.
However, there must be some manner of consensus on the broad principles across different government departments, he added.
In the announcement on its website, TRAI referred to the huge volumes of data flowing through phone lines. It said it included service providers in the scope of its guidelines as they offered the connectivity and devices that allowed end users to access the network and services.
Describing the existing patchwork of rules to protect personal information as "not sufficient," TRAI said that ownership of data generated by telecom consumers should rest with users and not companies.
It also said that companies should not use meta-data to identify users and should disclose data breaches.
According to Sinha, some basic aspects of TRAI's proposals are borrowed from the European Union's General Data Protection Regulations that took effect in May. The GDPR sought to give Europeans greater control over their online information and enforces strict rules regarding consent and violations.
Critics of the Indian regulator's proposals say they are a setback for data-driven businesses, which mostly provide app-based services.
App companies anonymize the data and do not retain or share call detail records, the Internet and Mobile Association of India, which represents companies such as Facebook and Google, said in a statement.
With more than 350 million smartphone users, India is now one of the largest markets for companies such as Facebook. More users are going online to buy everything from groceries to precious jewelry.
"Internet penetration among adults is already near 50%," said Neil Shah, director and co-founder of Counterpoint Research, a Hong Kong-based consulting firm. "Given the growth in online transactions, any financial damage caused by a potential data breach may be huge," Shah said.
Debate about data privacy has grown ever since India introduced a biometric identity card eight years ago.
The Aadhar card has since become mandatory to access a range of services, from opening bank accounts to authenticating payments on mobile apps and filing tax returns.
However, the card has also been blamed for tempting hackers and putting personal information at risk.
For instance, last year, Reliance Jio came under a cloud after reports that a website had leaked sensitive personal information about millions of users, including names, email addresses and the Aadhar card number. Reliance denied the data breach even as those seeking to confirm it found they could no longer access the website.
More recently, Facebook's explosive revelation that British political consultancy Cambridge Analytica harvested users' personal data without permission further strengthened the case for safeguards. In a testimony before Congress in the U.S., Facebook included India's top mobile service provider Bharti Airtel and music streaming company Saavn among the companies that had access to its data.
--Dhanya Ann Thoppil