A mobile number is often shared casually in daily life — to book a cab, receive a delivery, complete a digital payment, or obtain a service update. Yet the fact that a number is visible in a transaction does not make it freely available for personal use. Under India’s Digital Personal Data Protection Act, 2023, a mobile number can constitute personal data when it relates to an identifiable individual, and its use must remain tied to a lawful purpose.
This means that if a number is shared for a limited purpose, such as ride coordination, billing, delivery, or customer support, it should not ordinarily be reused for personal messaging, unrelated marketing, or informal follow-up without a valid legal basis. The law is gradually reinforcing a simple principle: access to personal data is not the same as permission to use it however one wishes.
Many privacy concerns do not begin with a dramatic cyberattack. They begin with small acts of misuse by individuals who have temporary access to customer information. A phone number taken from a ride record, an order screen, a billing database, or a payment interaction may seem insignificant, but once it is used beyond its original purpose, the issue moves from convenience to compliance.
This is especially important in platform-based services where drivers, delivery agents, employees, vendors, or support staff may have limited access to customer details. In such settings, the law expects organisations to implement reasonable safeguards, clear internal controls, and accountability mechanisms to prevent misuse at the human level, not merely at the technical level.
The legal principle in simple terms
The central idea is purpose limitation. Personal data collected for one purpose should not be casually diverted to another unrelated purpose. The DPDP Act permits processing of personal data for a lawful purpose, generally based on consent or certain recognised legitimate uses, and the individual must be informed about the personal data being processed and the purpose for which it is being used.
In practical terms, if a person gives a phone number only to complete a ride, confirm a delivery, receive a bill, or verify a transaction, that number is not automatically available for personal conversation later. A seemingly harmless message may therefore become legally problematic when it ignores the original context in which the data was shared.
A passenger shares a phone number to help a driver locate the pick-up point or coordinate arrival. After the trip is over, the driver sends a personal WhatsApp message unrelated to the ride. The concern here is that the number was shared for transportation service, not for personal interaction. If such communication continues after disinterest is shown, the issue may also take on the character of harassment or stalking depending on the facts.
2. Delivery contact used later
A customer provides a mobile number for order confirmation and doorstep delivery. After the service is completed, the delivery agent uses that number for personal conversation or unrelated contact. Even if the message appears informal or friendly, the legal question remains the same: was the data used for the purpose for which it was given?
3. Billing information reused for marketing
A consumer gives a phone number at a shop counter for invoice delivery or transaction confirmation. Soon afterwards, the number is used for promotional calls, third-party offers, or unrelated commercial outreach. This can raise issues not only under data protection law but also under telecom rules governing unsolicited commercial communication.
Why it affects women’s safety more deeply
For many women, misuse of a phone number is not merely an inconvenience. Repeated contact, unwanted familiarity, or communication outside the original transaction can create fear, anxiety, and a sense of being watched. Where the person already knows travel details, residential location, or routine movement because of the service interaction, the misuse of contact information may also affect the woman’s sense of physical safety.
The legal system increasingly recognises that digital contact can become an instrument of intimidation. Under the Bharatiya Nyaya Sanhita, repeated unwanted attempts to contact a woman despite disinterest may amount to stalking, and electronically transmitted obscene or harassing content may invite further criminal consequences depending on the circumstances.
Where customer data is used beyond its lawful purpose, consequences may arise at more than one level. Under the DPDP Act, organisations that fail to implement reasonable safeguards or fail to properly handle personal data breaches may face substantial financial penalties, with the statutory framework allowing penalties up to ₹250 crore for certain contraventions.
In appropriate cases, individual conduct may also attract provisions of the Bharatiya Nyaya Sanhita relating to stalking or harassment, the Information Technology Act for unlawful disclosure or misuse of information, and TRAI’s framework concerning unsolicited commercial communications. Not every inappropriate message will automatically lead to prosecution, but repeated, intrusive, obscene, threatening, or commercially exploitative conduct can certainly trigger legal remedies.
What organisations should learn
The lesson for organisations is straightforward. Data compliance is not limited to privacy policies, server protection, or cybersecurity software. It also requires clear employee instructions, restricted access, training of drivers and agents, internal disciplinary systems, and a culture that treats customer data as confidential and purpose-bound.
A company that allows easy viewing, copying, or informal reuse of customer contact information may face regulatory exposure even where the initial misuse is committed by an individual employee or service provider. The law increasingly expects businesses to build privacy protection into everyday operations.
What the general public should remember
A personal phone number does not become “publicly usable” merely because it was visible on an app, order screen, bill, or payment record. Consent is not implied by access, and familiarity is not created by a transaction. Personal data shared for service must remain confined to service unless a valid and lawful basis exists for further use.
India’s privacy framework is moving toward a culture of digital respect. The message is simple but important: a phone number shared for service is not an invitation for personal contact. Respecting that boundary is not only good conduct — it is increasingly a legal responsibility.
Print Page
No comments:
Post a Comment