Under clause 37 of the License pertaining to Confidentiality of information it is clearly stated that — No such person seeks such information other than is necessary for the purpose of providing Service to the Third Party. This means any service provider can only take address and identity proof for the services.
Delhi based cybercrime expert Amit Dubey has raised strong objection to the storage of sensitive personal information of users. “It is shocking that instead of taking basic information like address and identity, the telecom service provider is also storing banking and sensitive data. What will they do with it? How safe is this data? And what happens if this data is misused? Airtel needs to answer this to its customer,” said Amit Dubey, Chief Mentor, Root64 Infosec Research Foundation.
Dubey highlighted that Airtel’s policy is completely in violation of the right to privacy and licensing terms laid by the regulatory body. “If Airtel is storing such sensitive personal data and is also authorizing its third party to access it then are they following ISO 27001, which is a must for personal data protection requirements. Retailers, agents and the third party of Airtel should comply by ISO 27001 standards which doesn’t seems to be followed on the ground,” questioned Dubey and added that soon his NGO will move court and file PIL in the matter.
Another cybersecurity expert Naavi pointed out that the policy admits collection of “financial information (details of Bank account, credit card, debit card, or other payment instrument details), for providing our products, services and for use of our website. Naavi said, “For delivery of service, Bank information may not be considered as essential information to be collected. Bank and Credit card information is only required when Airtel has to directly bill the customer to the Bank account or to a credit card account. Hence this consent is relevant if the customer opts for direct billing and not otherwise.”
“… this sort of violation is too common and only when the Indian personal data protection act is passed and the Data Protection Authority is there to supervise and impose fine, this will become a real issue,” Naavi said.
The telecom company has declared that Airtel and its third parties (i.e. contractors, vendors and consultants) collect, store, and process users’ data as quid pro quo for its services. The “Agree and Continue” that you often encounter is your consent to it. Users have the option to not accept it, or retract the consent later. But Airtel will swiftly withdraw its services thereafter.
The policy says that it may also transfer users’ personal information to companies both in and outside of India, clarifying, however, that all entities handling user data agree to follow Airtel’s guidelines for the “management, treatment and secrecy of personal information”.