Vide a circular dated 21.12.2021; the Department of Telecom (DoT) introduced amendments to the Unified License (UL) Agreement. The DoT has asked telecom companies and internet service providers (ISPs) to maintain call detail records for a minimum of two years, which was previously one year, citing security reasons. Allegedly, the amendment in the UL has been introduced after requests from security agencies.
The DoT circular stated that “The Licensee shall maintain all commercial records/ Call Detail Record (CDR)/ Exchange Detail Record (EDR)/ IP Detail Record (IPDR) with regard to the communications exchanged on the network. Such records shall be archived for at least two years for scrutiny by the Licensor for security reasons, and may be destroyed thereafter unless directed otherwise by the Licensor. Licensor may issue directions/ instructions from time to time with respect to commercial records/ CDR/ IPDR/ EDR.”
This amendment in the UL Agreement raises several questions about the privacy of the users whose call records shall be archived and maintained citing security reasons. Furthermore, such call records shall be also subject to scrutinization twice. In the backdrop of the aforementioned, it is important to understand the implications of the amendment in terms of data privacy and safeguarding the privacy interests of Data Principals.
CALL DATA RECORDS AND THE TELECOM INDUSTRY
Clause39.20 of the UL Agreement stipulates that the telecom operators in India have to keep consumer records including Call Detail Records (CDR) and the details of Internet Protocol (IP) for at least one year for scrutiny by the DoT.
In furtherance to the above, the DoT may also issue directions/ instructions from time to time, with respect to the CDRs, under the abovementioned Clause.
However, the underlying issue herein shall be the privacy concerns of the users. In the current digitized world, almost every communication takes place through a telephonic conversation.
Therefore, the moment a mobile phone user connects to a certain mobile network and calls another user, all the records such as the duration of the call, the time when the phone call started or ended, the approximate location of the users, etc., get recorded.
In such circumstances, it is of utmost importance to secure the CDRs and ensure that the same is not compromised or subject to any sort of breach or exposure as such CDRs contain sensitive information pertaining to the users.
IMPACT OF THE AMENDMENT ON USER’S PRIVACY
Several users have put forward their concern that maintaining CDRs for two years which shall be subject to scrutinization at least twice, is an infringement of their Right to Privacy as declared by the Supreme Court in the judgment of Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
On the contrary, the DoT has stated that this data mentioned in the CDRs is anonymous in nature and does not contain names of either the maker or receiver of calls. Hence, there is no infringement of privacy of any person as no personal details are collected.
Furthermore, in no manner are the mobile numbers of the users tracked or recorded. Therefore, the DoT has affirmed that the storage of CDRs is more of a security measure than an infringement on privacy of the consumer.
India has introduced several guidelines, notifications, laws and bills which direct that personal data of the users shall be safeguarded at any cost. However, the Government, or any of its agency or authorities functioning under the Government has been given certain exclusive powers with regards to accessing personal information of the users, if the need arises.
The Government or any of its agencies can access the personal information of the users if the same is necessary for verification of identity, investigation, prosecution and for punishment of offences.
Amid the rise in privacy concerns and allegations stating that storing and scrutinizing CDRs amount to surveillance, the telecom companies have stated that there is no breach of privacy in sharing. The telecom companies and the DoT have asserted that the details from the CDRs shall be used to study poor network quality or call drops/cross connection complaints.
Furthermore, it has been stated that the monetary advantages would work towards enhancing the efficiency of the home-grown industry and would also elevate the work and commitments to the artificial intelligence (AI) environment, etc.
The inclination towards data localisation is said to be a portrayal of the Government’s administrative and strategy choices. Data localisation is restricting the cross-border transferring of data and storing the data on servers located within India.
An early illustration of data localisation is under the telecom permit, under which all telecom companies in India were denied from moving any bookkeeping or client data to any individual or server located outside India.
The Indian Parliament is effectively considering enacting the Personal Data Protection Bill.
While the existing regulations will give the Indian Government more noteworthy command over the personal data stored and processed by Government organizations and corporate entities; however, the general effect on the country, the innovation business and Indian residents is not yet clear.
There are a few examinations which highlight the unfavourable effect of localisation, its impact on the home-grown economy and chilling impact to free discourse.
While the State incorporates technical advancements in its machinery, it should be ensured that, while enacting such regulations, they are utilized sparingly and in a straightforward way to ensure that the regulations do not shorten free discourse, influence the certainty of the business local area and effect global exchange connections. For this, there should be a dire change of the observation and impeding regulations in India.
The amendment in the UL Agreement to store call data records however will benefit the Investigating Authorities and hopefully improve the security of the country while not violating any rights.
For any queries or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.