The Government's got your number (and more) #SaveOurPrivacy

tl;dr

The Department of Telecommunications (DoT) amended the Unified License in December, 2021 to extend the period of retention of call records and internet usage data from one year to two year. Worried about the implications of this change on privacy, we wrote to the DoT asking them to recall the amendments and conduct a public consultation before introducing or implementing any similar amendment in the future.

What happened?

On December 21, 2021, the DoT introduced new amendments to the Unified License through two circulars, both of which are numbered 20-271/2010 AS-I (Vol.-III) (Link to Circulars 1 & 2). Through the amendments, the DoT has extended the duration of storing Call Detail Records/Exchange Detail Records/ IP Detail Records of subscribers (‘Subscriber Data’) to two years. Previously, the storage duration for Subscriber Data was one year. This data contains sensitive details regarding attributes of a phone call such as time, duration, completion status, source number and destination.

As per Condition 5.1 of Unified License Agreement, the licensor, i.e., DoT, reserves the right to modify the terms and conditions of the license at any time, if it is expedient to do so for public interest, security of the state, or for proper conduct of telegraphs. However, the circulars do not specify which of the above conditions necessitated the present amendment. Moreover, such an amendment should only have been made after a public consultation and inviting insight from stakeholders, however this process was not adopted. On December 31, 2021, we had filed a right to information request with the DoT inquiring about these amendments, however in their response dated  February 17, 2022, they failed to answer any of our questions satisfactorily.

Why is this an issue?

There are multiple issues with the amendments including the way they have been put in place as well as the content of the amendment itself. Below we list out the major issues:

1. Amendments have been put in place without any public consultation with relevant stakeholders: This change has been made without carrying out any consultation process with relevant stakeholders to assess its impact. The extension of the time period for Subscriber Data is a worrying step. Data retention mandates need to be specifically reasoned and justified for their aim and period. It draws from the principle of storage limitation that recognizes that personal data collected should only be stored for such duration as is necessary for the fulfillment of the purpose for which it was collected. Further, such overlong storage raises the concern of illegal and overbroad surveillance of citizens by government agencies which may seek to keep a watch on everyday interactions of citizens. Therefore, any such amendment needs to be reviewed by the relevant stakeholders which includes civil society members who work on issues related to privacy as well as telecom and internet service providers who will be made to comply with the amendments. However, the DoT has failed to carry out a public consultation before enacting these amendments.
2. No data protection law to safeguard citizens’ privacy: At present, India does not have any personal data protection law in place to protect the privacy of its citizens. In such a situation, there are no statutory restrictions on authorities when they collect personal data. As a result, they may unnecessarily collect, retain and process data, which results in violations of privacy and misuse of data.
3. Weak surveillance architecture in India enables state sponsored mass surveillance: Misuse is also facilitated by the gaps in India’s surveillance architecture, which consists mainly of two legislations. The Information Technology Act, 2000 (link) and the Indian Telegraph Act, 1885 (link) contain provisions related to the surveillance of data and phone calls respectively. However, both these legislations have faced criticism for failing to put into place procedural safeguards which would ensure that the actions of the Executive have sufficient oversight to protect against misuse. In the absence of such oversight, fears of overbroad and illegal surveillance have continued to plague the collective psyche of Indian citizens.
4. Amendments are violative of the Supreme Court’s Right to Privacy & Aadhaar decisions: The Hon’ble Supreme Court of India, recognised the fundamental nature of the right to privacy, in K.S. Puttaswamy vs Union of India (Puttaswamy - I) (link), wherein the Court held that any invasion into the privacy of the people by the government must fulfill the three prong test of legality, necessity and proportionality. Presently, the amendments do not state the reason due to which the retention period has been extended. Therefore, it is impossible to judge the necessity of the amendment, i.e., whether there is a legitimate state aim which is fulfilled through the amendment. Further, in the absence of a legitimate state aim, it is not possible to assess whether the proportionality threshold is fulfilled. Even if we assume that the Unified License has been amended in the interest of the security of the state, retention of Subscriber Data for a period of 2 years is disproportionate as the Union Government has not provided any reasons why retention for 1 year was not sufficient. Thus, the amendment does not withstand legal scrutiny. Additionally, the Supreme Court in K.S. Puttaswamy vs Union of India (Puttaswamy - II) (link) has relied upon the ruling in Puttaswamy-I to strike down Regulation 27(1) of Aadhaar (Authentication) Regulation, 2016 on the ground that it permitted UIDAI to archive authentication transaction data for a period of 5 years. The Supreme Court ruled that the regulation 'severely affected’ the right of the citizen to erasure of data or the right to be forgotten, and thus, should not be retained for more than 6 months. The amendments to the Unified License raise similar concerns. Therefore, in the existing circumstances any amendment which requires the retention period of Subscriber Data  to be extended should first be made available for stakeholder inputs. In the absence of transparency  around such decisions, accountability of public officials suffers. However, in the present scenario, the biggest blow would be to the privacy of citizens whose data will be stored for longer durations than necessary to fulfill the purpose for which it was collected.

Our recommendations

In our letter to the DoT, we have made the following recommendations:

1. Recall the amendments: As we have pointed out above, the extension of the data retention period is a worrying step which could potentially result in mass surveillance and harm citizen privacy. Therefore, we have asked the DoT to recall the relevant amendments.
2. Hold a public consultation for any such change in the future: We are in the present situation because these amendments were not opened for public review and comments which would have allowed the relevant stakeholders to point out to the DoT the issues with the amendments. Therefore, it is necessary that in the future any such amendments to the Unified License must be made only after a public consultation exercise has been completed to ensure that stakeholders can raise such issues to the DoT before implementation.

Important Documents

1. Letter to the DoT on the amendments to the Unified License extending the period of subscriber data retention dated February 21, 2022 (link)