SUMMARY
A passage in Airtel’s privacy policy mentioned that the telecom and its authorised third parties could collect sensitive personal information from their users
This caused a furore in Twitter, leading Airtel to update its privacy policy and issue a clarification statement
Twitter users agitated about the incident have claimed that such stray incidents of violation of users’ privacy will keep happening until India gets a comprehensive law on personal data protection
Indian telecommunications company Airtel, in a statement, has said that it doesn’t collect data on their users’ religious or political beliefs, sexual orientation, and genetic data.
The statement came in response to the furore caused on Twitter on October 16, after some observant users had noticed a passage in Airtel’s privacy policy, which mentioned that the telco and its authorised third parties could collect store and process the following types of sensitive personal information from their users: genetic data, biometric data, racial or ethnic origin, political opinion, religious and philosophical beliefs, trade union membership, data concerning health, data concerning natural person’s sex life or sexual orientation, password, financial information (details of Bank account, credit card, debit card, or other payment instrument details), physiological information.
On October 17, Airtel, in a statement, attributed the inclusion of the contentious passage in its privacy policy to a “clerical error”.
“The generic content of the definitions of what constitutes personal data as laid down by the IT Act are expansive, which had been inadvertently put on to our website. This was a clerical error. We thank those who brought this error to our attention. We emphatically confirm that we do not collect any personal information relating to genetic data, religious or political beliefs, health or sexual orientation etc.,” read Airtel’s statement. Accordingly, the company updated its privacy policy on the same day, removing the contentious passage.
While Airtel’s example was one that was caught in the act, it is unclear whether other telecom operators were also collecting sensitive information about their users. Jio and Vodafone’s privacy policies don’t mention so. However, the last date of updation of those policies hasn’t been mentioned by both companies.
By law, Indian telcos are required to collect, store and share certain types of data with the Department of Telecommunications (DoT) and/or the Telecom Regulatory Authority of India (TRAI) as per their licence agreements. This includes call-related information (CRI) such as phone numbers and who made the call and to whom; time, date and duration of the call; location of the caller; and data records for failed calls.
As for personal information that telcos collect from users, both Jio and Vodafone mention in their privacy policies that they only collect names, contact details, proof of identity and other such demographic details from their users. The same is noted in Airtel’s updated privacy policy.
The entire episode regarding Airtel’s privacy policy has aggravated many netizens, who flooded Twitter with their comments on the incident. Many users on the social media network pointed out that such stray incidents of private entities overstepping their bounds in data collection will keep happening until India brings in law for the protection of personal data.
The Internet Freedom Foundation (IFF), a non-governmental organisation that conducts advocacy on digital rights and liberties, concurred with the sentiment and wrote in a tweet, “There is no substitute for a citizen-centric, rights-respecting data protection law.”
Notably, the IFF has been critical of certain provisions in the Personal Data Protection Bill, 2019, which is currently pending before a Joint Parliamentary Committee (JPC) which has been asked to submit its recommendations on the bill in the second week of the winter session of Parliament this year.
Criticism Of PDP Bill
Section 35 of the bill gives the Union government the power to issue reasoned orders exempting any government agency from the application of any/all provisions of the bill for reasons listed in the provisions. Further, Section 36 of the bill allows for certain exemptions in complying with the various provisions, in the interest of prevention, detection, investigation and prosecution of any offence.
The two clauses in the bill have been flagged by opposition members and domain experts for expanding the scope of exemptions while diluting important safeguards.
According to a special report by policy think-tank Observer Research Foundation (ORF), “blanket exemptions and lack of executive or judicial safeguards will fail to meet the standards laid out by the Supreme Court in the KS Puttaswamy v. Union of India case, where it ruled that measures restricting the right to privacy must be backed by law, serve a legitimate aim, be proportionate to the objective of the law, and have procedural safeguards against abuse. Vague grounds that trigger exemptions, absence of procedure in granting exemptions and the lack of independent oversight are major concerns.”
The report also mentioned that usage of terms like ‘national security’, ‘sovereignty’ and ‘territorial integrity’ are bound to be interpreted subjectively and could thus be misused to justify exemptions. A committee of experts under the chairmanship of Justice BN Srikrishna, in its report titled, ‘A Free and Fair Digital Economy, Protecting Privacy, Empowering Indians’, submitted to the Ministry of Electronics and Information Technology (MeitY) in 2018, had noted the importance of ensuring, “the pillars of data protection are not shaken by a vague and nebulous national security exception.”
Why Is Personal Data Protection Important?
As internet penetration spreads across the globe to include more than half of humanity and India accounts for 12% of these 3.8Bn internet users — the concerns around data protection and cybersecurity have also taken place. Today, smart devices powered by fast internet networks are collecting and storing data about every user action and behaviour from song preferences to viewership patterns, to health statistics and much more.
In such a world, the governance of how this data is stored and processed becomes indispensable. Thus, countries around the world have started to pay attention to creating data-related laws and policies.
The PDP Bill will also require startups to revamp their data-related processes and embed privacy within their system architectures. In the past, the Ministry of Electronics and Information Technology (MeitY) has invited all stakeholders who would be impacted by the legislation, to offer their suggestions and comments on the bill.
