Call Data Records: Much Ado About Nothing?
There have been news reports that the Department of Telecommunications (DoT) has sent out unusual requests to some telecom operators for call data records. The requests have reportedly been made to circles in Delhi, Andhra Pradesh, Haryana, Himachal Pradesh, J&K, Kerala, Odisha, Madhya Pradesh and Punjab and it is for the “records of all consumers” on specific days. These days are different for different states. For example, for Delhi, the dates are February 2, 3, 4 and 18; for AP, it is February 1 and 5; for Kerala and Odisha, February 15; for MP and Punjab, January 31 and February 1, respectively. The press reports do not provide an actual order and are entirely based on an unnamed industry official.
However, the Cellular Operators Association of India (COAI) has red-flagged them and reportedly written a letter to DoT that the requests were not in accordance with the usual norms. A former chairman of the Telecom Regulatory Authority of India reportedly commented that this was an “arbitrary action and a violation of the right to privacy”.
According to industry sources, if the information sought was part of surveillance, then the government would ask about certain identified numbers rather than data of the entire circle. Also, the request for different dates in different circles is not consistent with surveillance requirements, if any. Hence, industry observers are intrigued by the request.
One speculation is that DoT is monitoring the recent “call drop” situation. It is possible that it may be investigating possible fraud billings where operators may be raising fake calls and call dropping but billing them to the customers. Such fake billing has been a long-standing allegation of customers, which they cannot independently verify. At a time when operators are under pressure to make revenue due to past dues that they need to settle with DoT, such unethical practices cannot be ruled out. It is up to DoT to clarify matters.
It is interesting to note that some operators and parts of the press have raised the issue of privacy and possible surveillance by the government. Particularly in Delhi it has been alleged that the call records will include those of consumers who could be VVIPs and therefore, are more objectionable than otherwise. The objection is from that part of industry which is opposed to the proposed “Personal Data Protection Act” (PDPA) being passed in India and is raising objections on one ground or the other. The Supreme Court has held that the right to privacy is a fundamental right and needs to be protected by law, and the government has moved in with the law which it thinks is appropriate for the purpose. But part of the industry which may be inconvenienced by it is interested in postponing it as long as possible.
It is ironical that mobile industry operators who are themselves the biggest infringers of the right to privacy are presenting themselves as guardian angels of citizens who are protecting this right of theirs. This industry has even seen the introduction of computer contaminants in devices and OTT services to track and profile consumers for harnessing them for marketing purposes.
It may be recalled that DoT has specific powers to seek information from the operators as part of the license system. However, the proposed PDPA will put some restrictions on DoT as it is within the regulatory mechanism of the Data Protection Authority (DPA) and has to abide by the provisions of PDPA regarding “consent” and “purpose oriented usage” of personal data.
Cell phone operators are also considered “data fiduciaries” and are responsible for protecting the privacy rights of consumers. In this context, COAI flagging the request for clarification is well within their “fiduciary responsibilities”. However, such thoughts may not have been even remotely under the consideration of operators when they raised their complaint. The administrative inconvenience of having to provide such a huge amount of data on a regular basis could be more a motivation than the welfare of consumers.
Nevertheless, it is time for us to recognise that situations like these are precisely the discussion points when the bill for PDPA will be discussed by the Joint Parliamentary Committee before it is passed. Hence, a brief discussion on the implications of this DoT circular is in order to raise awareness about the forthcoming law.
The draft bill for Personal Data Protection Act (PDPB 2019) recognises in its preamble itself that apart from the objective of privacy protection, other stakeholders such as business use personal data as raw material and the government uses it both for national security and for delivering services to citizens and governance. Additionally, it is recognised that privacy as a right is subject to reasonable restrictions which is enshrined in the Constitution itself.
Hence, privacy activists who jump at every opportunity to criticise any move of the government which has even a remotest link to the right to privacy should understand that despite the law being passed, there will continue to be provisions under which the centre can seek personal information from any source. In fact, any delay in the passage of the law will be only to the advantage of the government since the responsibilities of the government department will be far higher when the law becomes effective.
For example, though Section 35 of the PDPB 2019 provides exemptions to the government for certain national security purposes, the power can be exercised only by a due process. If the current order has to be issued after the PDPA comes into effect, DoT needs to document the reasons and be able to justify it under national security requirements. It can be also for fraud investigation or for investigation leading to the Delhi riots, etc. If, however, the data is sought for monitoring call drops or for any other purpose, DoT can call for the information on a de-identified basis. The operator has to then de-identify the data and provide it to the government. If afterwards the department has reasons to investigate any specific case, it can send the appropriate order for sharing of identified personal information. This requires the operators to introduce a system of de-identification and anonymisation of call records which is a technical enablement for which they need to prepare themselves. If DoT asks for de-identified information and the operator provides it, then the responsibility for privacy infringement lies with the operator.
Having collected the information for a specific purpose, the responsibility lies with the government to ensure that it is secure and does not leak out as identified information from its end. If so, the head of DoT is liable under the PDPA. Consumers, on the other hand, can consider both the operator and DoT as data fiduciaries and exercise their rights of access, correction, quality and portability and if justified, the right to forget. There is another issue: who is the owner of the call details record? Is it the consumer or the operator or does it belong to both?
Thus, the incident indicates the type of issues that will arise once the Act comes into existence and why organisations such as COAI and departments of the government need to study the Bill and put in place techno-legal measures to meet compliance requirements as and when it becomes a legal mandate.
If companies are not ready, they will be caught napping like Italy was caught with the infamous “Hug the Chinese” campaign they ran just when the coronavirus was looking for an opportunity to spread. On the other hand, if COAI members are trying to look ahead and take voluntary compliance efforts, the risks of non-compliance can be substantially mitigated. This is the theme of my book Be Aware, Be Ready and Be Compliant, which dwells on the proposed PDPA which is set to become a law in India soon.
—The writer is a cyber law and techno-legal information
security consultant based in Bengaluru