Data protection: Call records to be stored in anonymised format

To bring in greater protection of consumer data and prevent misuse in cases of breach of network security, the department of telecommunications will direct telecom operators to store the call data records (CDR) of subscribers in an anonymised format. This will be done by assigning specific encrypted codes in place of the numbers from where calls are made or received.

However, if subscribers need their CDR from the operators, the latter will decrypt the codes and provide the detailed bill.

CDR is the detailed record of all the telephone calls that pass through the network, but does not contain their content. It is different from legal interception of calls for which an elaborate process is already in place, which will not be changed. In legal interception, calls are monitored on real-time basis for security purposes. These numbers are provided by intelligence agencies.

Officials said that the provision to anonymise CDRs of subscribers is part of the Telecom Act, so it will not require any further approval of the Cabinet. The step will be taken because instances of cyber attacks have increased and if there’s any breach of network security, call records of subscribers can be put up on the dark web, which will amount to breach of personal data protection.

Besides preventing any such misuse, anonymisation will also provide legal immunity to the government and the Telecom Regulatory Authority of India from charges of infringing consumer privacy if they analyse CDRs.

The analysis of CDRs by the DoT and Trai is required to check the quality of service, like instances of call drops.

In 2020 when DoT had demanded call detail records from the telecom operators in Delhi to check quality of services, telecom operators and other industry associations had expressed concern over providing the same for VVIP numbers on grounds of privacy. DoT had then clarified that the data can be sent in an anonymised format.

Section 22 of the Telecom Act, 2023 states that the government may by rules provide for the measures to protect and ensure cyber security of telecommunication networks and telecommunication services. The measures may include collection, analysis and dissemination of traffic data that is generated, transmitted, received or stored in telecommunication networks.

The Act defines traffic data as any data which is generated, transmitted, received or stored in telecommunication networks including data relating to the type, routing, duration or time of a telecommunication.

Besides defining the objectives of traffic data analysis, the rules will also specify which departments and the rank of officials will have the right to seek CDRs for purposes of analysis, among other things.