Airtel’s privacy policy has riled up users after they found that it says Airtel can collect users’ sensitive personal information, such as sexual orientation, genetic information, and political opinion, and share all of this with third parties. Users are raging on Twitter about how intrusive this is. But as shocking as it may sound to some, it’s far from a new discovery.
Update 11pm, October 17: Airtel clarified to Gadgets 360 that it has updated its privacy policy to remove the more extreme points. Gadgets 360 has confirmed this. The company further clarified that this was an inadvertent error caused by using a generic template for the page.
Update 5pm, October 17: Airtel replied to our email with a link to its tweet stating that the policy mentions expansive definitions which may not be warranted, and also that it does not collect information beyond what is permissible by the law. However, as noted by experts, what is currently permissible is extremely far reaching, and open to misuse.
Airtel’s Privacy Policy details what it means by sensitive personal data and information, abbreviated SPDI for legal matters, and what it does with it.
It says SPDI may include, but is not limited to, genetic data, biometric data, racial or ethnic origin, religious and philosophical beliefs and, as mentioned above, political opinion and sexual orientation. There are more kinds of data it gathers, of course, such as financial (related to billing, etc) and physiological (related to tailoring of products and services on offer). But these are more or less acceptable, even if they are without a general consensus. And call details, browsing history, and location data is a given.
Lawyer and cyber security expert, Prashant Mali, says that users’ data such as sexual orientation and even political opinion, falls within the definition of SPDI under Section 43A of the Information Technology Act (2000); and collecting, storing and processing it is well within the rules. “However, if one feels violated, they can file a complaint against Airtel for damages and compensation of up to Rs. 5 crores before the Adjudication Officer, i.e. the Principal Secretary (IAS) of the state,” says Mali.
Airtel and its third parties (i.e. contractors, vendors and consultants) collect, store, and process users’ data as quid pro quo for its services. The “Agree and Continue” that you often encounter is your consent to it. Users have the option to not accept it, or retract the consent later. But Airtel will swiftly withdraw its services thereafter.
The policy says that it may also transfer users’ personal information to companies both in and outside of India, clarifying however, that all entities handling users’ data agree to follow Airtel’s guidelines for the “management, treatment and secrecy of personal information”. There’s another document that details what the promise entails.
The Centre for Internet and Society in a 2015 study conducted on privacy policies of telecom companies notes that Airtel’s policy is clear and easy to understand, but it adds that “the policy could be more transparent and specific on matters of regarding the purpose of collection of information as well as deletion of information”. Their observation holds true even after Airtel’s update to the policy last week.
Legal validity does not negate the concern that users may have
“The policy by itself at present gathers overbroad and incredibly personal data unconnected to the provision of telecom services,” says Apar Gupta, Executive Director of the Internet Freedom Foundation.
The IFF specifically studies telecom company policies and engages with them and government authorities, such as the Department of Telecommunications (DOT), to strengthen privacy laws.
“The present legal rules set a very low threshold for protection of personal information, and, in any instance, this section is rarely enforced,” adds Gupta.
India at present lacks a proper legislative framework with respect to user privacy
Gupta says that the DOT within its legislative mandate can intervene to ensure user privacy. The proposed Personal Data Protection Bill can also increase the standard of user consent. The “Click and Continue” at present leaves users with fewer options. But there’s absolutely no clarity on how the bill will be implemented at all. It seems more outrage is needed to push the government to put in place a decisive bill that ensures user privacy, which, in turn, will hold companies accountable.
Update 11pm, October 17: You can see the full text of Airtel’s response below.
We have come across some reports regarding our privacy policy as stated on our website. We would like to state that privacy of our customers is of paramount importance to us.
The generic content of the definitions of what constitutes personal data as laid down by the IT Act are expansive, which had been inadvertently put on to our website.
We thank those who brought this error to our attention. We emphatically confirm that we do not collect any personal information relating to genetic data, religious or political beliefs, health or sexual orientation, etc.
Are iPhone 12 mini, HomePod mini the Perfect Apple Devices for India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.