Will TRAI and DoT take action against Airtel for violation of consumer’s fundamental right of privacy?

 New Delhi: Airtel’s online privacy policy has led to the rise of another debate. Cybersecurity experts have now pointed out that the telecom giant is collecting sensitive information like bank details and passwords of its customer which is not mandated by the Telecom Regulatory Authority of India (TRAI) or Department of Telecommunications (DoT).

Under clause 37 of the License pertaining to Confidentiality of information it is clearly stated that  — No such person seeks such information other than is necessary for the purpose of providing Service to the Third Party. This means any service provider can only take address and identity proof for the services.

But the Airtel in its privacy policy (https://www.airtel.in/privacy-policy ) stated – Airtel and its authorized third parties may also collect, store, process Sensitive Personal Information, which may include but be not limited to password and financial information (details of Bank account, credit card, debit card, or other payment instrument details), for providing our products, services and for use of our website.

Delhi based cybercrime expert Amit Dubey has raised strong objection to the storage of sensitive personal information of users. “It is shocking that instead of taking basic information like address and identity, the telecom service provider is also storing banking and sensitive data. What will they do with it? How safe is this data? And what happens if this data is misused? Airtel needs to answer this to its customer,” said Amit Dubey, Chief Mentor, Root64 Infosec Research Foundation.

Dubey highlighted that Airtel’s policy is completely in violation of the right to privacy and licensing terms laid by the regulatory body. “If Airtel is storing such sensitive personal data and is also authorizing its third party to access it then are they following ISO 27001, which is a must for personal data protection requirements. Retailers, agents and the third party of Airtel should comply by ISO 27001 standards which doesn’t seems to be followed on the ground,” questioned Dubey and added that soon his NGO will move court and file PIL in the matter.

Another cybersecurity expert Naavi pointed out that the policy admits collection of “financial information (details of Bank account, credit card, debit card, or other payment instrument details), for providing our products, services and for use of our website. Naavi said, “For delivery of service, Bank information may not be considered as essential information to be collected. Bank and Credit card information is only required when Airtel has to directly bill the customer to the Bank account or to a credit card account. Hence this consent is relevant if the customer opts for direct billing and not otherwise.”

 “… this sort of violation is too common and only when the Indian personal data protection act is passed and the Data Protection Authority is there to supervise and impose fine, this will become a real issue,” Naavi said.

Earlier, a lot of furore was created on the social media platform after users found that Airtel’s privacy policy says that it can collect users’ sensitive personal information, such as sexual orientation, genetic information, and political opinion, and share all of this with third parties. Airtel was quick to clarify that it does not collect personal information of customers, other than name and address proof, clarifying that a clerical error led to sharing of content such as genetic data and sexual orientation briefly on its website. Airtel has removed the faulty policy from its website but the present policy is also under strong criticism.

The telecom company has declared that Airtel and its third parties (i.e. contractors, vendors and consultants) collect, store, and process users’ data as quid pro quo for its services. The “Agree and Continue” that you often encounter is your consent to it. Users have the option to not accept it, or retract the consent later. But Airtel will swiftly withdraw its services thereafter.

The policy says that it may also transfer users’ personal information to companies both in and outside of India, clarifying, however, that all entities handling user data agree to follow Airtel’s guidelines for the “management, treatment and secrecy of personal information”.