Statement from Airtel:
“We would like to state that privacy of our customers is of paramount importance to us.
“The generic content of the definitions of what constitutes personal data as laid down by the IT Act are expansive, which had been inadvertently put on to our website. This was a clerical error.
“We thank those who brought this error to our attention.
“We emphatically confirm that we do not collect any personal information relating to genetic data, religious or political beliefs, health or sexual orientation etc.
“The policy which we have always used to collect data has been duly updated for the benefit of our customers and can be accessed here – https://www.airtel.in/privacy-policy/.”
What caused the furore?
The categories of data listed include very sensitive information about people. Consider this: a person from a minority group visits their place of worship every day. Their location is tracked using mobile towers. This location, which is inextricably linked to the person’s mobile number, is used to deduce the person’s religious identity.
Or a person belonging to a sexual minority searches for potential partners online, or uses a particular app to do so. The telco links it to other details about the subscriber.
Or a person visits a hospital twice a month for a treatment. The telco has the location data and deduces that this person is chronically ill. The two largest service providers in the country — Jio and Airtel — already have payments banks. It is not beyond the realm of imagination to think that they may venture into insurance and allied services. If telcos, that may provide insurance or credit cards, have access to subscribers’ health data, or can make accurate assumptions about it, they could potentially overcharge people for insurance.
If a telco creates such digital dossiers on people, it can be mandated to share such information with the government under its licence agreement. This information can be used to target, with alarming accuracy, members of religious or sexual minorities.
What kind of data is Airtel required to collect?
To ply as an internet and telecom service provider in India, Airtel has to collect, store and share certain types of data with the Department of Telecommunications (DoT) and/or the Telecom Regulatory Authority of India (TRAI) under its licence agreement. This includes Call Related Information (CRI) such as numbers who made the call and to whom; time, date and duration of the call; location of the caller; and data records for failed calls. This information may be shared with law enforcement authorities as well.
How useful are privacy policies?
Airtel’s statement raises more questions than it answers. We have sent them to Airtel and will update the article when we get a response:
- How did the clerical error go unnoticed for more than a year?
- What were the actual updates made to the Policy on October 8, 2020?
- How long is the following information retained by Airtel: “call details, your browsing history on our website, location details and additional information provided by you while using our services”? Is this automatically deleted after the data retention period lapses? Are there circumstances in which such data is still retained?