Twitter users agitated about the incident have claimed that such stray incidents of violation of users’ privacy will keep happening until India gets a comprehensive law on personal data protection
Indian telecommunications company Airtel, in a statement, has said that it doesn’t collect data on their users’ religious or political beliefs, sexual orientation, and genetic data.
While Airtel’s example was one that was caught in the act, it is unclear whether other telecom operators were also collecting sensitive information about their users. Jio and Vodafone’s privacy policies don’t mention so. However, the last date of updation of those policies hasn’t been mentioned by both companies.
By law, Indian telcos are required to collect, store and share certain types of data with the Department of Telecommunications (DoT) and/or the Telecom Regulatory Authority of India (TRAI) as per their licence agreements. This includes call-related information (CRI) such as phone numbers and who made the call and to whom; time, date and duration of the call; location of the caller; and data records for failed calls.
The Internet Freedom Foundation (IFF), a non-governmental organisation that conducts advocacy on digital rights and liberties, concurred with the sentiment and wrote in a tweet, “There is no substitute for a citizen-centric, rights-respecting data protection law.”
Notably, the IFF has been critical of certain provisions in the Personal Data Protection Bill, 2019, which is currently pending before a Joint Parliamentary Committee (JPC) which has been asked to submit its recommendations on the bill in the second week of the winter session of Parliament this year.
Criticism Of PDP Bill
Section 35 of the bill gives the Union government the power to issue reasoned orders exempting any government agency from the application of any/all provisions of the bill for reasons listed in the provisions. Further, Section 36 of the bill allows for certain exemptions in complying with the various provisions, in the interest of prevention, detection, investigation and prosecution of any offence.
The two clauses in the bill have been flagged by opposition members and domain experts for expanding the scope of exemptions while diluting important safeguards.
According to a special report by policy think-tank Observer Research Foundation (ORF), “blanket exemptions and lack of executive or judicial safeguards will fail to meet the standards laid out by the Supreme Court in the KS Puttaswamy v. Union of India case, where it ruled that measures restricting the right to privacy must be backed by law, serve a legitimate aim, be proportionate to the objective of the law, and have procedural safeguards against abuse. Vague grounds that trigger exemptions, absence of procedure in granting exemptions and the lack of independent oversight are major concerns.”
The report also mentioned that usage of terms like ‘national security’, ‘sovereignty’ and ‘territorial integrity’ are bound to be interpreted subjectively and could thus be misused to justify exemptions. A committee of experts under the chairmanship of Justice BN Srikrishna, in its report titled, ‘A Free and Fair Digital Economy, Protecting Privacy, Empowering Indians’, submitted to the Ministry of Electronics and Information Technology (MeitY) in 2018, had noted the importance of ensuring, “the pillars of data protection are not shaken by a vague and nebulous national security exception.”
Why Is Personal Data Protection Important?
As internet penetration spreads across the globe to include more than half of humanity and India accounts for 12% of these 3.8Bn internet users — the concerns around data protection and cybersecurity have also taken place. Today, smart devices powered by fast internet networks are collecting and storing data about every user action and behaviour from song preferences to viewership patterns, to health statistics and much more.
In such a world, the governance of how this data is stored and processed becomes indispensable. Thus, countries around the world have started to pay attention to creating data-related laws and policies.
The PDP Bill will also require startups to revamp their data-related processes and embed privacy within their system architectures. In the past, the Ministry of Electronics and Information Technology (MeitY) has invited all stakeholders who would be impacted by the legislation, to offer their suggestions and comments on the bill.