Privacy experts in Bengaluru are calling for stricter laws to ensure businesses don’t insist on your phone number to complete a transaction.
The call comes in the wake of an incident involving Mahua Moitra, Trinamool Congress MP, on April 28. She was asked for her phone number and email ID at a sports goods store in Delhi when she was trying to buy a pair of trousers for her father. She tweeted that the practice was against the law.
Shweta Mohandas, policy officer with the Centre for Internet and Society, Bengaluru, says collection of phone numbers is not illegal under the Information Technology Act, but in most cases, businesses go overboard and collect information not essential to a transaction.
“For online delivery, the number may be required, but in most other cases, it is not, and the customer should have the option of not giving the number,” she says.
Businesses could also provide customers a choice of phone number or email. When it comes to offline transactions, it makes sense to have a privacy policy the customer can read. The store should let the customer know why the information is being collected, and take active consent. The customer should also be able to withdraw the consent later, she says.
Advocate Guru Prasanna suggests collection of personal information could be contested under the Consumer Protection Act. “Under that law, one can not only file a complaint against a defective product or deficiency of service, but also against any unfair trade practice. This includes bundled-up products, forcibly selling you things you don’t need, and unfair pricing,” he explains.
Section 2 (47) of the Consumer Protection Act covers unfair trade practices. “Collecting data is not part of the sale transaction. Now, because of digitisation, vendors want to collect and retain such information,” he says.
So is it illegal to collect personal data? Prasanna explains, “It is something that should not be done but it cannot be termed illegal. The severity changes on the basis of the nature of the transaction. Someone asking for your bank account details is putting you at a higher risk than someone asking you for your phone number.”
Purushotham Kittane, tech and privacy advocate at Nishith Desai Associates, says India’s data protection law is not the strongest in the world. “There are some protected categories of information, but name and contact details are not listed in this,” he says.
The upcoming Data Protection Bill may bring in stricter norms. As things stand, Indian laws protect customers from unauthorised disclosure of information, which means the vendors can’t disclose the personal data they have collected, he explains.
Section 2 (47) of the Consumer Protection Act contains a provision against unauthorised disclosure of personal information. “There are protections under Section 72 (A) of the Information Technology Act,” he says.
What she tweeted
Mahua Moitra (@MahuaMoitra) tweets, "Want to buy my dad trousers for Rs 1499 in CASH at @Decathlon_India Ansal Plaza & manager insists I need to put in my mobile number & email ID to purchase. Sorry @Decathlon_India you are violating privacy laws & consumer laws by insisting on this. Am at store currently."
‘Sorry, won’t share number’
Some customers turn down store requests for phone numbers. A store clerk once told Arvind Dwarakanath, a resident of Malleswaram, that he couldn’t be billed for goods if he didn’t provide his contact details. “I just said that there was no rule and the clerk agreed and went ahead and billed me,” he says. Faisal Patel, a resident of Kammanahalli, finds that chain stores refuse to bill customers without a phone number. “But, if you insist, they bill you with a dummy number,” he says.
Data minimisation policies being flouted
Anushka Jain, associate policy counsel (surveillance and transparency), Internet Freedom Foundation, Delhi, says the law will have to step in to curb the practice of collecting personal data. “There is a rule about sensitive personal data, but there is none governing personal data outside of that. Policies about data minimisation, which say data should be collected only where it is necessary, are not being followed,” she says. Sensitive Personal Data or Information Rules, issued by the Ministry of Communications and Information Technology, covers eight categories including bank account information, biometric information and health records, she says. Creation of any kind of database is problematic, as you don’t know how it will be used further, says Anushka. “The information could be sold off to insurance companies and such businesses. Another problem is profiling or surveilling,” she says.
Where to complain
Under the Consumer Protection regime, district, state and national forums are listed to enable aggrieved consumers to complain, says advocate Purushotham Kittane. “Under the IT Act, there is no separate regulator and the recourse is to take remedies from courts,” he says. Once the Data Protection Bill kicks in, there could be a Data Protection Authority, he says. Guru Prasanna, advocate practising in the Karnataka High Court, suggests the Consumer Affairs Ministry put out a guideline that it is not mandatory for businesses to collect personal information.