Rajeev Chandrasekhar's official website - Member of Parliament

GOVERNMENT OF INDIA
Ministry of: Communication and Information Technology
 

DEPARTMENT OF: TELECOMMUNICATIONS
RAJYA SABHA
UNSTARRED QUESTION NO 1347
TO BE ANSWERED ON 31.07.2015

Enactment of Privacy Legislation

1347. SHRI RAJEEV CHANDRASEKHAR 

Will the Minister of COMMUNICATION AND INFORMATION TECHNOLOGY be pleased to state:-

(a) whether the Ministry has taken note of the reports from June this year, that suggested that telecom operators were inserting surreptitious codes into user browsers to collate user data;

(b) whether the Ministry has conducted an investigation into these reports, if so, the details thereof; and

(c) whether the Ministry believes that there is an urgent need to enact a privacy legislation to protect the rights of citizens vis-a-vis the various official databases of Government which collates information about citizens?

ANSWER
THE MINISTER OF COMMUNICATIONS AND INFORMATION TECHNOLOGY
(SHRI RAVI SHANKAR PRASAD)

(a) Sir, the Government is aware about the media reports alleging invasion of customers’ privacy by M/s Bharti Airtel Limited by way of injecting some JavaScript into subscribers browsing sessions. 

(b) Telecom Regulatory Authority of India has asked M/s Bharti Airtel Limited to submit a detailed report on the matter. In response, it is stated by M/s Bharti Airtel Limited that a pilot test with one of its network partners using a third party solution from Flash networks through which customers were going to be made aware of the data usage in terms of megabytes used. It has been done solely with the object of improving customer experience and empowering customers to manage their data usage through suitable timely prompts in terms of volume of data used. Such solutions are already deployed and continue to be deployed by operators globally to enhance information, customer service and experience. Further, Bharti Airtel Limited has denied the allegations.
(c) To protect privacy and the rights of the citizens, Deprtment of Telecommunications has already mandated all the Telecom Service Providers as part of license conditions that licensee shall take all necessary steps to safeguard the privacy and confidentiality of any information about a third party and its business to whom it provides the Service and from whom it has acquired such information by virtue of the Service provided and shall use its best endeavours to secure that: 

a) No person acting on behalf of the Licensee or the Licensee divulges or uses any such information except as may be necessary in the course of providing such Service to the Third Party; and 
b) No such person seeks such information other than is necessary for the purpose of providing Service to the Third Party. 

Provided the above para shall not apply where: 

a) The information relates to a specific party and that party has consented in writing to such information being divulged or used, and such information is divulged or used in accordance with the terms of that consent; or 
b) The information is already open to the public and otherwise known. 

Further, Section 43, Section 43A and Section 72A of the Information Technology Act, 2000 provides comprehensive legal framework for privacy and Security of data in digital form. Sections 43 and 43A of the Act provides for compensation to be paid to the victim in case of unauthorized access of information and leakage of sensitive personal information respectively. Section 43A also mandates that body corporate, who collect personal data or information must provide privacy policy for handling of or dealing in personal information including sensitive personal data or information on their websites. They are also required to implement reasonable security practices and procedures to protect the information. Indian Computer Emergency Response Team (CERT-In) has also empanelled auditors to facilitate body corporate to audit their information technology infrastructure and implementation of security best practices.

Moreover, the interception and monitoring of communications messages is governed by the provisions of section 5(2) of Indian Telegraph Act, 1885 which empowers Central and State Governments to carry out interception of communication messages under stipulated conditions. The detailed procedure is provided in Rule 419A of Indian Telegraph Rules, 1951 for handling the lawful interception cases. Further, in case of lawful interception and monitoring, Rule 419A of Indian Telegraph Rules, 1951 inter-alia provides that

“14. The service providers shall put in place adequate and effective internal checks to ensure that unauthorised interception of messages does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of interception of messages as it affects privacy of citizens and also that this matter is handled only by the designated nodal officers of the company.

(15) The service providers shall be responsible for actions of their employees also and in case of established violation of licence conditions pertaining to maintenance of secrecy and confidentiality of information and unauthorised interception of communication, action shall be taken against the service providers as per provisions of the said Act, and this shall include not only fine but also suspension or revocation of their licences.”