wordpress blog stats
Connect with us

Hi, what are you looking for?

Bombay High Court issues notice to Union govt, NPCI over ‘data privacy breach’ by Truecaller, app denies allegations

truecaller screen

Some of the allegations leveled against Truecaller include the collection of IP addresses, device IDs, and automatically signing up users for the app’s now-defunct UPI payment services. 

The Bombay High Court has issued a notice to the Union government and the National Payment Corporation of India (NCPI) seeking their response to public interest litigation (PIL) alleging that Truecaller, a caller ID verifier app, was “sharing” user data, thus breaching data privacy of users. However, a Truecaller spokesperson, while responding to queries made by MediaNama, denied the allegations and maintained that it is ‘compliant with data privacy laws and stand ready to comply with other data protection laws anywhere in the world’.

In his notice, dated July 7, a copy of which MediaNama has seen, Chief Justice Dipankar Dutta and Justice Girish Kulkarni said, “Having heard the petitioner in person for some time, we are of the opinion that notice on this petition is required to be issued to the respondents. Accordingly, we issue notice to the respondents returnable after three weeks.” The matter is set to be heard next on July 29.

The petitioner, Shashank Posture, in his PIL alleged that Truecaller International LLP, which operates the Truecaller app has breached the data privacy of cell phone users. Posture has submitted that such activities are illegal and contrary to the position in law on privacy of the cell phone users.

The bench noted, “In addition to Court notice, the petitioners are permitted to serve the respondents by a private notice and place on record affidavit of service. In case the respondents are served before the returnable date, the respondents are at liberty to file their reply affidavits.”

Advertisement. Scroll to continue reading.

What does the petition say?

In his petition, law student Posture claimed that there was a need to protect millions of citizens from Truecaller as they were allegedly collecting data unlawfully. These are the salient submissions they made in their PIL —

  • Collection of call data by Truecaller will cause a negative impact on national security and amounts to a breach of privacy
  • Exemption clauses in Truecaller’s privacy policy leave no choice for users except to adhere to terms of service
  • Data collected by the app can be used for marketing and advertising
  • App allegedly collects data from users even after an account is deactivated
  • Truecaller purportedly created UPI IDs for users without bank accounts in ICICI Bank
  • Truecaller allegedly collects sensitive information including geo-location, IP address, device ID, as well as browsing history, etc.
  • Truecaller was automatically registering their users on UPI without consent and thus financial details of citizens like bank account details, or credit/debit card details were being breached by Truecaller.

Grievance against NPCI: Posture, in his PIL, said that the National Payments Corporation of India allegedly failed to do its duty of monitoring Truecaller’s activities with regards to ICICI Bank. The National Payments Corporation of India is an umbrella organisation for operating retail payments and settlement systems under the ownership of the Reserve Bank of India in India.

What is the relief sought by the petitioners?

The PIL urged the court to —

  • Declare that Truecaller’s terms and services and privacy policy was against the public
  • Direct Truecaller to delete all personal data of Indian citizens obtained without valid consent
  • Direct Union government to conduct an enquiry into the activities of ICICI Bank and Truecaller

Not sharing data with anyone, stopped UPI in 2019: Truecaller

“Pursuant to a strategic business decision last year, Truecaller discontinued offering Unified Payments Interface (UPI) payment services and has not signed up any new users on UPI since August 2019,” a Truecaller spokesperson told MediaNama in a statement. The spokesperson said that it has not received any formal communication regarding the PIL so far, and would be able to comment more on the matter when they do.

“We are compliant with data privacy laws and stand ready to comply with other data protection laws anywhere in the world. In addition, Truecaller practices ‘data minimisation’ – taking only the data required for our service to work, and nothing else.

Truecaller does not sell or share user data. We deeply care about our users and their data, and would like to assure them that we securely handle their data and process it as per our Privacy Policy.” – the Truecaller statement said.

Claims of Truecaller data breach made in 2020: The personal data of 47.5 million Indians — including their phone number, service provider, name, gender, city, email, and Facebook ID, among other things — claimed to be sourced from caller ID app Truecaller is available for sale on the dark web for $1,000 (₹75,000), cybersecurity firm Cyble had said in 2020.

However, Truecaller, in a statement to MediaNama, had denied any breach of its database. A Truecaller spokesperson said: “ We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before. It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell. We urge the public and users not to fall prey to such bad actors whose primary motive is to swindle the people of their money.”

Also read

Advertisement. Scroll to continue reading.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ