Users of telecom services rarely know how much personal data they are sharing, and how valuable that can be for a host of companies. And that is a problem. This is one of the conclusions arrived at by the Telecom Regulatory Authority of India in a consultation paper titled “Privacy, Security and Ownership of the Data in the Telecom Sector” released on Wednesday.

The paper, meant to spur a public conversation about policy considerations, looks at issues ranging from data usage by apps, lack of uniformity in data protection laws in the country and the lack of a regulator that can lay down rules. One of these issues is how much “information asymmetry” there is between the consumer and the data user, either the telecom operator or other companies. People who sign up to give their personal data don’t often know the way it is going to be used and the privacy policies that govern the use of their data can be changed unilaterally by companies that collected the data in the first place.

“Second, is the problem of bounded rationality, which often leads consumers to underestimate the long term consequences of their actions while consenting to share their personal information in the course of availing specific products or services,” the paper stated.

This, the paper said, could also lead to a monopoly by certain telecom companies that have a lot of data with them. This could allow companies to enter related markets – like digital payments – and dominate there as well, thus harming the market overall, the paper said.

The paper calls for a clear regulation structure that would allow and encourage new businesses that use data as their main input to enter the market. It added that one possible solution is to ensure data portability, which would allow companies to extract all user data and share it with one another.

However, sharing of users’ personal data among companies is a key concern that needs to be addressed through regulatory reforms and TRAI relied on a report by the Justice AP Shah Committee published in 2012 to suggest possible solutions.

The Shah Committee report had called for the establishing of a data controller that will put out easy-to-understand terms and conditions under which data is being collected from an individual. This controller is also supposed to intimate users and seek their consent when their data is being shared with a third party and also allow them to seek deletion or correction of their personal data if it is inaccurate.

Who owns your data?

The consultation paper said that, while telecom and internet service providers collect a lot of data from users such as call records, calling patterns, location of users and data usage, it is currently “ambiguous” who owns this data.

“In order to protect the privacy of users of telecom services it is important that ownership rights, authority to use, transact and delete personal data are ascertained,” the paper stated. “Similarly, the role and responsibilities of data controllers should also be defined.”

The consultation papers calls for an examination of data interception laws, pointing out that the the Information Technology Act, 2000 allows data to be intercepted even if the request doesn’t come under the conditions of “public emergency, public safety and public interest”, which are mandated for interception of phone calls, or phone tapping, as it is widely known.

TRAI also raised the issue of user data being collected by apps and games as well as larger providers of internet based services such as Google and Microsoft and the hurdle in regulating the data provided to them and its final use.

The paper comes just days after the ministry of electronics and information technology set up its own 10-member committee to study data protection issues in the country and tasked it with drafting a model data protection law.