We analysed the privacy of policies of the four large telecom service providers - Jio, Vi, Airtel, and BSNL - to check not only whether they were Puttaswamy-compliant, but also whether their policies would need updating in the face of the impending Personal Data Protection Bill, 2019. We found certain issues in these policies, on the basis of which we have sent letters detailing our comments to these telecom service providers.
Why study privacy policies?
The PDPB also mandates certain additional safeguards for the processing of sensitive personal data, which are missing in the policy. Additionally, the policy states that Airtel may still have lawful grounds to process personal data once a user’s contract with Airtel has been terminated, even though the PDPB preserves the right to erasure. Data retention timelines and data anonymisation standards are missing from the policy as well.
Airtel, like many other TSPs, requires us to send the famous 'DND' SMS to stop receiving product or service-related information. However, Airtel has not clarified whether sending the requisite SMS shall simply stop the delivery of service information or acutally stop the processing of the relevant data as well. Additionally, the policy does not state whether consent shall be explicitly taken before sharing information with authorised third parties. Lastly, the policy may imply that security practices and prcedures taken by third parties may potentially be lower than the standards and procedures that Airtel would employ itself.
also specifies that “The LICENSEE shall be completely and totally responsible for
security of their networks.” Given that this is, in fact, a situation which is not
“outside [the] control” of Reliance Jio, it is regrettable that no additional security measures have been specified or planned to ensure that scenarios like the Big Basket data leak do not happen. Lastly, the ambiguity over whether the DND SMS stops the collection and sharing of data persists here as well.
In what seems to be running themes, data retention timelines and data anonymisation standards are once again both missing from the policy, while Vi too does not specify any consent sharing any mechanism for sharing data with authorised third parties. Yet again, ambiguity of the implications of the DND SMS remain. Vi's policy too seems to imply that it may allow the security standards of the third parties to be lax.
Chapter V of the PDPB lays down certain rights of the data principal, such as the
right to erasure, right to correction, and right to data portability. It is quite
In a rapidly digitalised world, telecom service providers are a key nodal point for both the generating and processing of vast quantities of data. Additionally, most indians use the internet through mobile devices. Thus, it is extremely important to ensure that while using their services users do not find their digital rights and privacy compromised. However, as we have seen above, telecom service providers do not seem to provide safeguards in their privacy policies to secure the security and privacy of users. Such a situation is quite alarming, and illustrates not only the very pressing need for a data protection legislation (such as the Personal Data Protection Bill, 2019 or the Personal Data and Information Privacy Code, 2019) but also the necessity of strong regulation of TSPs with respect to data processing.
- Table containing comparative analysis of the 4 Privacy Policies (link)
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)