Airtel has said that it does not collect any personal information related to subscribers’ genetic data, religious or political beliefs, and health or sexual orientation. The telco instead attributed the inclusion of such data in its privacy policy to a “clerical error”. The second largest ISP in the country (by number of subscribers) had “inadvertently put” the broad definitions of personal data from the Information Technology Act on to its website, the company said in a statement to MediaNama.

What happened? On October 16, eagle-eyed Twitter users noticed that Airtel’s privacy policy for its website and services stated that Airtel and its authorised third parties could collect, store and process the following types of sensitive personal information: “Genetic Data, Biometric Data, Racial or Ethnic Origin, Political opinion, Religious & Philosophical belief, Trade union membership, Data concerning Health, Data concerning natural personal’s sex life or sexual orientation, password, financial information (details of Bank account, credit card, debit card, or other payment instrument details), physiological information”. This caused a furore on Twitter after which Airtel sought to rein in the damage and thus released an updated Policy on October 17.

Multiple Twitter users pointed out that the Privacy Policy had been updated on October 8, 2020. However, as per archived pages of the Policy, the contentious section has been a part of the policy since at least August 13, 2019; it only got public attention now.

Statement from Airtel:

We have come across some reports regarding our privacy policy as stated on our web site.

“We would like to state that privacy of our customers is of paramount importance to us.

“The generic content of the definitions of what constitutes personal data as laid down by the IT Act are expansive, which had been inadvertently put on to our website. This was a clerical error.

“We thank those who brought this error to our attention.

“We emphatically confirm that we do not collect any personal information relating to genetic data, religious or political beliefs, health or sexual orientation etc.

“The policy which we have always used to collect data has been duly updated for the benefit of our customers and can be accessed here – https://www.airtel.in/privacy-policy/.”

What caused the furore?

The categories of data listed include very sensitive information about people. Consider this: a person from a minority group visits their place of worship every day. Their location is tracked using mobile towers. This location, which is inextricably linked to the person’s mobile number, is used to deduce the person’s religious identity.

Or a person belonging to a sexual minority searches for potential partners online, or uses a particular app to do so. The telco links it to other details about the subscriber.

Or a person visits a hospital twice a month for a treatment. The telco has the location data and deduces that this person is chronically ill. The two largest service providers in the country — Jio and Airtel — already have payments banks. It is not beyond the realm of imagination to think that they may venture into insurance and allied services. If telcos, that may provide insurance or credit cards, have access to subscribers’ health data, or can make accurate assumptions about it, they could potentially overcharge people for insurance.

If a telco creates such digital dossiers on people, it can be mandated to share such information with the government under its licence agreement. This information can be used to target, with alarming accuracy, members of religious or sexual minorities.

What kind of data is Airtel required to collect?

To ply as an internet and telecom service provider in India, Airtel has to collect, store and share certain types of data with the Department of Telecommunications (DoT) and/or the Telecom Regulatory Authority of India (TRAI) under its licence agreement. This includes Call Related Information (CRI) such as numbers who made the call and to whom; time, date and duration of the call; location of the caller; and data records for failed calls. This information may be shared with law enforcement authorities as well.

How useful are privacy policies?

Irrespective of whether or not it was oversight on Airtel’s part, it raises a big question about how useful privacy policy is. Let’s assume that Airtel was indeed collecting all this sensitive information on subscribers, does changing the Policy mean that it also updated all its systems to not collect such data anymore? How long do such updates take? What happens to data that would have been collected under the previous Privacy Policy? Is it immediately deleted?

Unanswered questions

Airtel’s statement raises more questions than it answers. We have sent them to Airtel and will update the article when we get a response:

  • Where did Airtel get the categories of sensitive personal data from? Airtel’s statement basically suggests that someone copied a section from the Information Technology Act. However, the Sensitive Personal Data or Information Rules, 2011, that define sensitive personal data, do not include the following categories of data that Airtel’s old Privacy Policy contained: genetic data, racial or ethnic origin, political opinion, religious and philosophical belief, trade union membership, and data concerning natural “personal’s” sex life.
  • How did the clerical error go unnoticed for more than a year?
  • What were the actual updates made to the Policy on October 8, 2020?
  • Can Airtel categorically state that it collects no information other than the categories listed in the new Privacy Policy? The new Privacy Policy does not give an exhaustive list of categories of data that Airtel collects. It instead uses “may include but not limited to” to give a short list of data collected.
  • How long is the following information retained by Airtel: “call details, your browsing history on our website, location details and additional information provided by you while using our services”? Is this automatically deleted after the data retention period lapses? Are there circumstances in which such data is still retained?