The Kerala High Court disposed of a PIL filed by a Congress MLA Ramesh Chennithala that sought to invalidate a circular issued by the Kerala police that let it collect call data records (CDR) from telecom service providers for the purposes of tracing the contacts of COVID-19 patients. The division bench, constituting Chief Justice S. Manikumar and Justice Shaji P. Chaly, refused to label such data collection as “unconstitutional, null and void and unenforceable in law”, as the petitioner wanted, and did not forbid the police from collecting such data. However, it directed Kerala Police to ensure “strict confidentiality” of the CDR details and that they are used only for contact tracing for COVID-19.
The petitioner argued that such data collection violated the COVID-19 patients’ right to privacy. During the course of the final hearing on August 21, the petitioner had sought that the police issue a revised circular limiting the purpose of collection to just contact tracing for COVID-19. The Court left it up to the police’s consideration.
In a written submission to the court and in oral arguments, the police had argued that segregating only the tower location from CDR was not possible. The petitioner had then sought to implead telecom service providers to ascertain the veracity of the claim. The bench refused to implead TSPs.
‘Collection of CDR for data records violates patients’ right to privacy’: PIL
The petitioner argued against a circular issued by the Kerala Police on August 11 through which the Additional Director General of Police (Intelligence) and police headquarters would ask BSNL and Vodafone Idea to hand over CDR of COVID-19 positive patients promptly. In his PIL, Chennithala argued:
- The circular makes it clear that the police was collecting CDR even before the issuance of the circular, without the consent or knowledge of COVID-19 patients.
- Such collection violates the patients’ right to privacy, both under the Puttaswamy right to privacy judgement and judgement from the Telangana High Court earlier this year as per which an “emergency of any sort” cannot be used as “an excuse to trample on the rights under Article 21”.
- The legal authority for issuing such a circular, or collecting such data is not defined. The PIL called such collection of data by the police “an illegal expansion of police powers”.
- CDR are being collected in a non-anonymised fashion, in violation of the Kerala High Court’s judgement in the Sprinklr case in April 2020.
- If such data is stored with a third party, it is very likely that “undesirable elements” could “misuse” it for commercial gain.
‘Segregating tower location from CDR is impossible, data is safe’: Kerala Police
In its written submission to the court and oral arguments, the Kerala Police argued:
- CDR details are only collected for the limited purpose of locating COVID-19 patients and their contacts.
- CDR details are only kept by the police, not shared with third parties, and are destroyed “once the places where the COVID positive patients have been [are] identified”.
- CDR details are only collected for 14 days prior to the date when patients test positive for COVID-19.
- It is not possible to segregate only the tower location from the data that telecom service providers provides them because the TSPs download the CDR details in an encrypted CSV format where they are not allowed to make any changes. Any segregation that needs to be done has to be done by the agency that seeks the details, which is the police in this case.
- The police “decodes” only one column out of the 13 that comprise a call data record. This column, “First Cell Global Id”, provides the latitude and the longitude. It is not clear if this refers to the location of the mobile tower or the individual in question.
- The only other method for obtaining tower location — location-based service (LBS) — gives real-time data and cannot be used to chart location data for previous days.