A resident in Greater Noida has complained about receiving repeated automated calls from IDFC First Bank, despite having no banking relationship with the institution. The calls, which are made through an artificial intelligence-powered system, have been persistent, with the complainant receiving multiple calls every day. The complainant has alleged that the calls have continued despite his repeated objections, and he has threatened to take legal action against the bank for breach of privacy, unfair trade practices, and misuse of automated communication systems.
The case raises questions about consent, privacy, and the limits of automated outreach in the age of AI. The complainant maintains that he never gave permission for his phone number to be used by the bank, and even if he had inadvertently given consent, it would not justify the multiple daily calls he has been receiving. Legal experts note that consent must be specific, informed, and revocable, and that automated calls, especially those made several times a day, risk crossing from legitimate communication into harassment.
The case is significant, as it highlights the need for regulatory frameworks to keep pace with technological advancements. The Digital Personal Data Protection Act, 2023, and the TRAI’s Telecom Commercial Communications Customer Preference Regulations, 2018, provide some safeguards against unsolicited commercial communications, but the use of AI systems complicates the issue. The question now facing regulators and possibly the courts is whether technological efficiency can coexist with respect for personal boundaries, or whether the law must draw firmer lines around the right to be left alone.
IDFC First Bank could face significant penalties if found liable, including fines of up to ₹250 crore under the Digital Personal Data Protection Act, 2023, and financial disincentives ranging from ₹1,000 per violation to ₹10 lakh or more under the TRAI’s regulations. The bank could also face action under the Consumer Protection Act, 2019, and the Information Technology Act, 2000, for unfair trade practices and unauthorized use of personal data.
The case serves as a reminder that financial institutions must act as responsible data fiduciaries and respect the rights of individuals to privacy and consent. As banks increasingly use automation to reduce costs and expand reach, they must ensure that their systems are designed to respect personal boundaries and comply with regulatory frameworks. The outcome of this case will be closely watched, as it could set a precedent for the limits of automated outreach and the protections available to individuals against harassment and invasion of privacy.