On October 8th, 2020, Bharti Airtel Limited updated its Privacy Policy which stated that:
- Airtel could collect data related to customer’s Sexual Orientation, Sex-life, Political, Religious and Philosophical beliefs, Health, Genetics, Biometrics, Race, Ethnicity, Passwords, Financial data (like Bank account, credit/debit card), Trade Union membership, and Physiological data.
- Airtel could share this data with its employees and third parties including sub-contractors, consultants and other affiliated organizations.
- Airtel could share this data with Government agencies and other authorised law enforcement agencies for prevention, investigation and punishment of crimes.
- Airtel could collect this data when customers use its services, websites, apps or via your other interactions with Airtel.
- Airtel could stop providing services if a customer did not allow the company to obtain and use this sensitive personal data.
- If Airtel systems are hacked, Airtel would not take the responsibility for any data leaks. Airtel put the burden of this risk on the customers.
These policies were intrusive and violated fundamental rights related to privacy. In Supreme Court’s 2018 judgement related to Right to Privacy, Justice Chandrachud had stated, “The right to privacy and the protection of sexual orientation lie at the core of the fundamental rights guaranteed by Articles 14, 15 and 21 of the Constitution.” By possibly blocking services if a customer did not accept the new policy, Airtel was violating its customers’ fundamental rights.
Netizens raised flags about this intrusive policy update on Twitter and Reddit. Yes, We Exist, an organization that raises awareness about LGBTQ+ rights, ran an online campaign called ‘Stop Snooping Airtel‘ on October 17. Several folx from the LGBTQ+ community raised their voice against Airtel and alerted journalists, lawyers and activists.
Airtel can now collect and share your personal information with third parties (a thread)
— Anandita?️? (@devilsxblessing) October 17, 2020
Emails written to Airtel’s Privacy Officer bounced back. As the campaign gained pace, at around 5 pm on October 17th, Airtel responded to a Twitter user saying, “The policy mentions expansive definitions which may not be warranted & can be misconstrued. We’ll re-evaluate the Policy & make necessary amends. Customer privacy is paramount to us. We don’t collect customer info beyond what’s permissible by law.”
By 11 pm on October 17, Airtel reversed its Policy update and removed the terms: Sexual Orientation, Sex-life, Political, Religious and Philosophical beliefs, Health, Genetics, Biometrics, Race, Ethnicity, Trade Union membership, and Physiological data. Contrary to its previous response on Twitter, Airtel informed Gadgets 360 that this was an inadvertent error caused by using a generic template for the page.
Internet Freedom Foundation celebrated this change saying, “This signals a victory on how citizen voices can help secure privacy and bring accountability. Your voices, retweets and posts have an impact. Keep the faith!”
European Union’s General Data Protection Regulation (GDPR) does not allow processing of such sensitive personal data without obtaining explicit consent from users and without mentioning specific reasons for processing this data. Unfortunately, India lacks a strong data privacy law that can prevent companies like Airtel to obtain, process and share sensitive personal information.
Currently, the Personal Data Protection Bill, 2019 is being analysed by a Joint Parliamentary Committee in consultation with experts and stakeholders. However, as per Forbes India, the power that this bill grants the government, to access personal data is dangerous. Many believe that this bill would cause significant threats to the privacy of Indian citizens.