Privacy Policies of Telecom Service Providers - Or Why You Shouldn't Just Click Accept
Tl;dr
We analysed the privacy of policies of the four large telecom service providers - Jio, Vi, Airtel, and BSNL - to check not only whether they were Puttaswamy-compliant, but also whether their policies would need updating in the face of the impending Personal Data Protection Bill, 2019. We found certain issues in these policies, on the basis of which we have sent letters detailing our comments to these telecom service providers.
Why study privacy policies?
On October 8th, 2020, Airtel updated its privacy policy. The updated policy stated that categories of information that Airtel would collect would include "political opinions, religious beliefs and sexual orientation". A week later, reports emerged about the policy, with many users calling out the telecom service provider (TSP) on it's policy for violating the privacy of users.
While Airtel has subsequently amended its privacy policy, the incident brought to light the need to ensure that TSPs, who both generate and process large amounts of data on a daily basis, have robust privacy policies that does protects the digital rights of users and complies with legal and legislative frameworks for data security. Additionally, given that The Personal Data Protection Bill, 2019 was introduced in Parliament last year, we thought it might make sense to analyse these policies from the angle of the Bill as well. In our analysis, we tried to focus not just on issues related to privacy and digital security but also organisational practices. For this, we used the framework provided by the Personal Data Protection Bill, 2019, and then compared the four TSPs on how they fared with regards to metrics such as the existence of consent sharing mechanisms and data transparency.
Airtel
Airtel may have updated its privacy policy, but significant issues still remain. For example, Airtel predicates the provision of services on the consent of the user to process data, explicitly stating that Airtel may discontinue services in which consent is not provided or is provided but then later taken back. Now, the Personal Data Protection Bill, 2019 (PDPB) itself unequivocally states that “the provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose”. Thus, if the PDPB were to be passed, such a privacy policy would be violative of the Act.
The PDPB also mandates certain additional safeguards for the processing of sensitive personal data, which are missing in the policy. Additionally, the policy states that Airtel may still have lawful grounds to process personal data once a user’s contract with Airtel has been terminated, even though the PDPB preserves the right to erasure. Data retention timelines and data anonymisation standards are missing from the policy as well.
Airtel, like many other TSPs, requires us to send the famous 'DND' SMS to stop receiving product or service-related information. However, Airtel has not clarified whether sending the requisite SMS shall simply stop the delivery of service information or acutally stop the processing of the relevant data as well. Additionally, the policy does not state whether consent shall be explicitly taken before sharing information with authorised third parties. Lastly, the policy may imply that security practices and prcedures taken by third parties may potentially be lower than the standards and procedures that Airtel would employ itself.
Jio
As might be expected, Jio's privacy policy also has multiple issues. The policy notes that Reliance Jio, “may not be able to process your request of correction, updation or deletion, in case... it is extremely difficult to implement”. The PDPB explicitly acknowledges the right to forgotten, and so it may not allow exemptions due to ‘technical difficulties’. The privacy policy also states that “withdrawal of consent may lead to cancellation of your registration with us or your access to our services”. Additionally, even though the Consumer Acquisition Form states that certain fields are optional, the policy does not make it clear whether a refusal or withdrawal of consent of optional fields would also result in the termination of services. Once again, the need for a new consent sharing paradigm for TSPs is demonstrated.
Jio's privacy policy does not specify the standards of data anonymisation or data retention timelines. It also, again, seems to imply that it may hold its authorised third party partners to lower standards than itself. Furthermore, the policy lists ‘hacking’ as a case in which Reliance Jio exempts itself from responsibility in case of a breach of security. Now, the DoT’s user license agreement
also specifies that “The LICENSEE shall be completely and totally responsible for
security of their networks.” Given that this is, in fact, a situation which is not
“outside [the] control” of Reliance Jio, it is regrettable that no additional security measures have been specified or planned to ensure that scenarios like the Big Basket data leak do not happen. Lastly, the ambiguity over whether the DND SMS stops the collection and sharing of data persists here as well.
Vi
The privacy policy of the newly established Vi too has certain issues. In the introduction, Vi seems to view the usage of services as equivalent to the provision of consent for the processing of data. However, clause 11(2) of the PDPB states certain principles that the provision of consent must fulfil, which may no be fulfilled by the policy as such consent may not be free or capable of being withdrawn. The policy also does not mention whether the withdrawal for processing certain data is viewed grounds for termination of services by Vi.
In an Airtel-esque gaffe, Vi's privacy policy also seems to indicate that Vi may collect data about, “preferences for particular products, services or lifestyle activities”. This seems to be a textbook example of function creep, and the inclusion of such a clause is even more surprising given the recent furore faced by Airtel. The policy also states that one of the uses of personal data is “Inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party”. If the collection of certain types of data is indeed mandatory for the use of services (as is implied, then this would then imply that inclusion in a directory follows the ‘opt-out’ model. An opt-out model has also been prescribed for the sharing of anonymised information with authorised third parties. Both of these would seem to contravene the directive laid down by the PDPB for the explicit provision of consent.
In what seems to be running themes, data retention timelines and data anonymisation standards are once again both missing from the policy, while Vi too does not specify any consent sharing any mechanism for sharing data with authorised third parties. Yet again, ambiguity of the implications of the DND SMS remain. Vi's policy too seems to imply that it may allow the security standards of the third parties to be lax.
BSNL
BSNL's privacy policy is perhaps the most antiquated of the four, and thus is most in need of revision. A very basic error the privacy policy commits is that it fails to specify the types of data being collected. This would contravene clause 7(1) of the PDPB, which mandates providing information about the nature and categories of personal data to be collected to the data principal. Like the other TSP, BSNL fails to mention any consent sharing mechanisms for the processing of data, either with BSNL itself or with authorised third parties. Across various service providers, this is quite a large lacuna that must be addressed immediately.
Chapter V of the PDPB lays down certain rights of the data principal, such as the
right to erasure, right to correction, and right to data portability. It is quite
egregious that the privacy policy fails to mention any of these, and is a situation that must resolved at the earliest. In line with what are probably 'industry standards', the privacy policy fails to mention either data anonymisation standards or data retention timelines. Unlike other TSPs, however, BSNL fails to mention even the basic security practices it is to follow itself.
Conclusion
In a rapidly digitalised world, telecom service providers are a key nodal point for both the generating and processing of vast quantities of data. Additionally, most indians use the internet through mobile devices. Thus, it is extremely important to ensure that while using their services users do not find their digital rights and privacy compromised. However, as we have seen above, telecom service providers do not seem to provide safeguards in their privacy policies to secure the security and privacy of users. Such a situation is quite alarming, and illustrates not only the very pressing need for a data protection legislation (such as the Personal Data Protection Bill, 2019 or the Personal Data and Information Privacy Code, 2019) but also the necessity of strong regulation of TSPs with respect to data processing.
Important Documents
- Table containing comparative analysis of the 4 Privacy Policies (link)
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Privacy Policy of Airtel (link), Jio (link), Vi (link), and BSNL (link)
- IFF's comments on Airtel's Privacy Policy (link), Jio's Privacy Policy (link), Vi's Privacy Policy (link), and BSNL's Privacy Policy (link)
#SaveOurPrivacy
#BanTheScan