NEW DELHI: Ownership of data generated by telecom consumers should rest with the users and not internet giants and mobile device makers, Telecom Regulatory Authority of India ( Trai ) has recommended. It has also said that the existing framework for data protection is "not sufficient" to protect consumers."One-sided user agreements which are complicated and difficult to understand" – often thrown in by various app makers and mobile device companies -- should be done away with, while collection of "unrelated or unnecessary data" should be barred, Trai has additionally recommended."Each user owns his/her personal information/data collected by/stored with the entities in the digital ecosystem… government should notify the policy framework for regulation of devices, operating systems, browsers and apps," Trai said in its recommendations on ‘privacy, security and ownership of data in the telecom sector’.The recommendations are not binding in nature but assume importance in view of various cases of data breach, including the recent one involving millions of users of social media giant Facebook .The views of the telecom regulator, which come ahead of the Justice B N Srikrishna committee’s recommendations on data privacy, have the potential to impact business conducted by companies such as Apple, Samsung, Google, Amazon and Facebook, apart from several homegrown internet giants."We find that telecom users are real owners of data and rest of players are mere custodians," Trai chairman R S Sharma told TOI after submitting the recommendations to the government.Trai’s recommendations were unequivocal with regard to the rights of users. "In respect of the ownership of personal data… the individual must be the primary right holder qua his/ her data. While the right to privacy should not be treated solely as a property right, it must be recognized that controllers of personal data are mere custodians without any primary rights over the same."Ownership rights of the user over personal data "are supreme", Trai said, adding that these should not be superseded by the rights of data controllers, data processors, or any other entity in the eco-system.While data controllers may collect and process personal data, this must be subject to various conditions and obligations, "including importantly, securing explicit consent of the individual"."Very many times, the user is forced to part with his/her personal data with very little information about the scenarios/ uses that the data would be put to. He has no facilities to access, view, amend, or delete his data submitted. In case of any data breach, he may not even be informed about it till it gets reported."The growth in the number of connected devices implies that a large portion of data created would consist of personal details relating to individuals such as purchases, places visited, demography, health statistics, financial transactions, education, work profile etc."Technology, though beneficial to mankind in general, does have collateral disadvantages eg increasing use of smart devices in everyday lives can lead to a loss of privacy for individuals, who may often not even be aware that they are being tracked or observed."The regulator also spoke about the serious pitfalls that one can suffer due to lack of data privacy laws. "… ubiquitous presence of smart devices like a mobile handset has many benefits but it may also be a source of loss of privacy of the user, eg when a user knowingly/unknowingly grants permission to access the camera and microphone of a smart device to an application, the application may execute live streaming on the internet using camera and microphone, run real time facial recognition algorithms, use advanced algorithms to create a three-dimensional model of the user's face, upload random frames of video stream being accessed by the user etc."To ensure privacy of users before data processing, Trai said that there is merit in ensuring that the same is anonymised/de-identified.While telecom companies are currently covered by data-privacy laws, the same rule does not apply to the fast-growing eco-system of apps as well as the mobile device makers.Trai also said that consumers should not be confused or misguided through confusing "one-sided" user agreements. "Many times, end user agreements/terms and conditions that a user is served at the time of availing any services, procuring any device etc are one-sided, complex, lengthy, full of legal jargon and in a language that a user may not understand. The user has no other choice but to accept them to avail the services of the entity. Since India is a multilingual country, these agreements, notices etc should be provided in an easy to understand, short, multi-lingual format for the benefit of the users."Trai said that "notice, choice, and consent" are the most important rights that need to be given to consumers. "Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc. Similarly, Choice and Consent implies that a data controller shall give individuals choices (optin/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Consent may be considered to be a powerful means of protecting an individual’s information."