In an era defined by digital connectivity and interactions driven by the continuous exchange of data, modern communication has become increasingly susceptible to external surveillance. One of the primary modes of communication is voice calling. When a voice call is intercepted or tapped or recorded, such intervening party automatically gets access to not only personal conversations between two parties, but also to the voice and language patterns of the parties participating in the call.
With the development of data protection regimes across the world, multiple jurisdictions consider voice to be identifiable personal information, bringing the tapping or recording of calls under the ambit of all applicable data protection laws. The implications of this would impact all persons that currently record or monitor the calls between other parties. Parties with vested interests, such as service providers that record customer interactions, employers that monitor employee performance through recorded communications, and tech developers that wish to train a model using a celebrity’s voice sample will now be required to ensure that they are in compliance with the applicable data protection laws.
This article examines the legal framework that governs the tapping and/or recording of calls, exploring the consequences that such oversight has on the fundamental rights of the persons participating in the call. The article elaborates on the evolving landscape of the data protection and privacy laws in India, and the impact that these evolutions may have on the recording of calls by various persons.
Privacy as a Constitutional Right
The courts in India have time and again taken a similar position by reiterating that recording a person’s calls without their knowledge is a breach of privacy. It has been reaffirmed through various judgements that the right to privacy includes the confidentiality of personal conversations[1]. This breach of privacy is violative of the individuals’ fundamental rights under Article 19 (Protection of certain rights regarding freedom of speech, etc.) and Article 21 (Protection of life and personal liberty) of the Indian Constitution.
Privacy under the erstwhile framework
Personal information has been dealt with under the Information Technology Act, 2000 (“IT Act“) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“). While the IT Act and the SPDI Rules do not directly address a situation where a third party may record the conversation taking place between two other persons, they lay down certain obligations for body corporates that collect, receive, possess, store, deal or handle information pertaining to a person. This includes making a privacy policy available and communicating to the person the purpose of collection and usage of such information and the reasonable security practices and procedures adopted by the body corporate.
The obligations and thresholds set out in the IT Act and the SPDI Rules will have to be adhered to up until the date that that the latest data protection laws come into effect. This means that the participants in a call will need to be informed that their conversation is being recorded, alongside the purpose behind the said recording.
Privacy under the DPDP Act
The legal implications of the recording of calls is a question riddled with complications especially in light of the notification of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). In accordance with the erstwhile framework, the coming into force of the DPDP Act has made it more apparent that a person’s voice is classified as their ‘Personal Data’, making the compliances surrounding this issue even more stringent.
In addition to the obligations detailed by the IT Act and the SPDI Rules, all the obligations that a Data Fiduciary (as defined under Section 2(i) of the DPDP Act) is required to undertake, will need to be complied with by any party wishing to record a call or conversation. As an additional step, such party will be required to acquire the explicit consent of the person whose voice is being recorded. Under Section 6(1) of the DPDP Act, this consent is required to be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of his/her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. Further, with effect from May 12, 2027, a body corporate will need to demonstrate that affirmative consent was obtained from the person to whom the personal data pertains, i.e., the person on the call. Simply communicating the fact that the call is being recorded and personal data is being collected, as was the case under the IT Act and SPDI Rules, will not be enough.
Conclusion
It is apparent that privacy and data protection are now at the forefront of the legal discourse in India, but it remains to be seen how corporate entities are able to adapt to this evolving ecosystem of data protection. The enhanced obligations imposed with regard to the acquiring of consent, processing of personal data and deletion of personal data are making the compliances associated with the applicable data protection laws a lot more nuanced. Corporate entities will have to inculcate a culture wherein consent and privacy are taken into consideration at every step of a commercial engagement. Such inculcation of a culture that protects privacy steadfastly would ensure that the corporate entities are encumbered by the ramifications under the IT Act and DPDP Act.
[1] K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1; People’s Union for Civil Liberties v. Union of India, AIR 1997 SC 1203.
English
Chinese (Simplified)
Japanese