It says SPDI may include, but is not limited to, genetic data, biometric data, racial or ethnic origin, religious and philosophical beliefs and, as mentioned above, political opinion and sexual orientation. There are more kinds of data it gathers, of course, such as financial (related to billing, etc) and physiological (related to tailoring of products and services on offer). But these are more or less acceptable, even if they are without a general consensus. And call details, browsing history, and location data is a given.
Lawyer and cyber security expert, Prashant Mali, says that users’ data such as sexual orientation and even political opinion, falls within the definition of SPDI under Section 43A of the Information Technology Act (2000); and collecting, storing and processing it is well within the rules. “However, if one feels violated, they can file a complaint against Airtel for damages and compensation of up Rs. 5 crores before the Adjudication Officer, i.e. the Principal Secretary (IAS) of the state,” says Mali.
Airtel and its third parties (i.e. contractors, vendors and consultants) collect, store, and process users’ data as quid pro quo for its services. The “Agree and Continue” that you often encounter is your consent to it. Users have the option to not accept it, or retract the consent later. But Airtel will swiftly withdraw its services thereafter.
The policy says that it may also transfer users’ personal information to companies both in and outside of India, clarifying however, that all entities handling users’ data agree to follow Airtel’s guidelines for the “management, treatment and secrecy of personal information”. There’s another document that details what the promise entails.
The Centre for Internet and Society in a 2015 study conducted on privacy policies of telecom companies notes that Airtel’s policy is clear and easy to understand, but it adds that “the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information”. Their observation holds true even after Airtel’s update to the policy last week.
Legal validity does not negate the concern that users may have.
“The policy by itself at present gathers overbroad and incredibly personal data unconnected to the provision of telecom services,” says Apar Gupta, Executive Director of the Internet Freedom Foundation.
The IFF specifically studies telecom company policies and engages with them and government authorities, such as the Department of Telecommunications (DOT), to strengthen privacy laws.
“The present legal rules set a very low threshold for protection of personal information, and, in any instance, this section is rarely enforced,” adds Gupta.
India at present lacks a proper legislative framework with respect to user privacy
Gupta says that the DOT within its legislative mandate can intervene to ensure user privacy. The proposed Personal Data Protection Bill can also increase the standard of user consent. The “click and continue” at present leaves users with fewer options. But there’s absolutely no clarity on how the bill will be implemented at all. It seems more outrage is needed to push the government to put in place a decisive bill that ensures use privacy, which, in turn, will hold companies accountable.
Comments sought from Airtel about users’ privacy concerns on Twitter had not been received at the time of writing this article.