Some of the allegations leveled against Truecaller include the collection of IP addresses, device IDs, and automatically signing up users for the app’s now-defunct UPI payment services.
The Bombay High Court has issued a notice to the Union government and the National Payment Corporation of India (NCPI) seeking their response to public interest litigation (PIL) alleging that Truecaller, a caller ID verifier app, was “sharing” user data, thus breaching data privacy of users. However, a Truecaller spokesperson, while responding to queries made by MediaNama, denied the allegations and maintained that it is ‘compliant with data privacy laws and stand ready to comply with other data protection laws anywhere in the world’.
In his notice, dated July 7, a copy of which MediaNama has seen, Chief Justice Dipankar Dutta and Justice Girish Kulkarni said, “Having heard the petitioner in person for some time, we are of the opinion that notice on this petition is required to be issued to the respondents. Accordingly, we issue notice to the respondents returnable after three weeks.” The matter is set to be heard next on July 29.
The petitioner, Shashank Posture, in his PIL alleged that Truecaller International LLP, which operates the Truecaller app has breached the data privacy of cell phone users. Posture has submitted that such activities are illegal and contrary to the position in law on privacy of the cell phone users.
The bench noted, “In addition to Court notice, the petitioners are permitted to serve the respondents by a private notice and place on record affidavit of service. In case the respondents are served before the returnable date, the respondents are at liberty to file their reply affidavits.”
What does the petition say?
In his petition, law student Posture claimed that there was a need to protect millions of citizens from Truecaller as they were allegedly collecting data unlawfully. These are the salient submissions they made in their PIL —
- Collection of call data by Truecaller will cause a negative impact on national security and amounts to a breach of privacy
- Data collected by the app can be used for marketing and advertising
- App allegedly collects data from users even after an account is deactivated
- Truecaller purportedly created UPI IDs for users without bank accounts in ICICI Bank
- Truecaller allegedly collects sensitive information including geo-location, IP address, device ID, as well as browsing history, etc.
- Truecaller was automatically registering their users on UPI without consent and thus financial details of citizens like bank account details, or credit/debit card details were being breached by Truecaller.
Grievance against NPCI: Posture, in his PIL, said that the National Payments Corporation of India allegedly failed to do its duty of monitoring Truecaller’s activities with regards to ICICI Bank. The National Payments Corporation of India is an umbrella organisation for operating retail payments and settlement systems under the ownership of the Reserve Bank of India in India.
What is the relief sought by the petitioners?
The PIL urged the court to —
- Direct Truecaller to delete all personal data of Indian citizens obtained without valid consent
- Direct Union government to conduct an enquiry into the activities of ICICI Bank and Truecaller
Not sharing data with anyone, stopped UPI in 2019: Truecaller
“Pursuant to a strategic business decision last year, Truecaller discontinued offering Unified Payments Interface (UPI) payment services and has not signed up any new users on UPI since August 2019,” a Truecaller spokesperson told MediaNama in a statement. The spokesperson said that it has not received any formal communication regarding the PIL so far, and would be able to comment more on the matter when they do.
“We are compliant with data privacy laws and stand ready to comply with other data protection laws anywhere in the world. In addition, Truecaller practices ‘data minimisation’ – taking only the data required for our service to work, and nothing else.
Claims of Truecaller data breach made in 2020: The personal data of 47.5 million Indians — including their phone number, service provider, name, gender, city, email, and Facebook ID, among other things — claimed to be sourced from caller ID app Truecaller is available for sale on the dark web for $1,000 (₹75,000), cybersecurity firm Cyble had said in 2020.
However, Truecaller, in a statement to MediaNama, had denied any breach of its database. A Truecaller spokesperson said: “ We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell. We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money.”
- Truecaller denies database breach after personal details of over 45 million Indians appear on the dark web
- Former WhatsApp Executive joins Truecaller as Director of Public Affairs in India