GREATER NOIDA: A resident’s complaint against a leading private sector bank over repeated automated calls despite no banking relationship has reopened questions about consent, privacy, and how far lenders can go in the age of AI-driven outreach.
A Phone That Would Not Stop Ringing
Every day, without fail, the calls arrive in the morning, again in the afternoon, and once more by evening. The caller is not a human being but an automated system speaking on behalf of a private bank. The recipient, a private individual in Greater Noida, says he has never held an account with the bank, never knowingly consented to be contacted, and yet has found himself drawn into a cycle of persistent outreach that feels impossible to escape.
The complainant alleges that the calls, often routed through artificial intelligence–powered systems, have continued despite repeated objections. The number in question, 969610000*, he says, has become a data point in a system that does not seem to distinguish between customers and non-customers. What began as a nuisance has now escalated into a question of rights: Can a bank repeatedly contact someone who has no formal relationship with it, and does automation dilute accountability for privacy intrusions?
Automated calls by the private bank at different hours of the same day
Legal Action by Consumer
The complainant has indicated that unless the calls cease immediately and an explanation is provided, he will approach the Consumer Forum and the Telecom Regulatory Authority of India (TRAI) for breach of privacy, unfair trade practices and misuse of automated communication systems.
The complainant demands that the private bank should examine its own records to determine how many AI-generated calls have been made to the number in question. Such an audit, the complainant believes, would reveal not only the scale of the intrusion but also whether safeguards against over-contact are functioning at all.
Privacy, Consumer Rights, and the Regulatory Net
Regulatory frameworks do exist. TRAI’s rules on unsolicited commercial communications place limits on frequency and require clear opt-out mechanisms. Separately, consumer law recognizes mental harassment and intrusion into privacy as actionable harms. When calls are generated by machines, accountability can become diffuse, spread across vendors, data processors, and the institution commissioning the outreach.
Legal experts note that repeated, non-consensual calls by a private bank to a private individual—especially one who is not an account holder—engage multiple layers of Indian law. They add that similar AI-driven calling practices are increasingly being adopted by other leading private banks in India, making the issue sector-wide rather than isolated.
Statutorily, the Digital Personal Data Protection Act, 2023 restricts processing of personal data without a lawful purpose or valid consent (Sections 4 and 6) and mandates data minimisation, making excessive or repeated automated calls potentially unlawful once consent is absent or withdrawn.
Telecom conduct is governed by the TRAI’s Telecom Commercial Communications Customer Preference Regulations, 2018, which prohibit unsolicited and repetitive commercial communications, including AI-driven or robocalls, and require immediate cessation upon objection.
Consumer law also applies: under the Consumer Protection Act, 2019, persistent unsolicited calling may amount to an unfair trade practice and mental harassment, even where the recipient is not a customer.
In addition, negligent or unauthorised use of personal data can attract liability under Section 43A of the Information Technology Act, 2000, while extreme persistence may, in certain circumstances, engage harassment-related offences under the Bharatiya Nyaya Sanhita (successor to the IPC).
Regulators, including the Reserve Bank of India, have repeatedly cautioned banks against aggressive or intrusive communication practices, reinforcing that financial institutions are expected to act as responsible data fiduciaries.
Therefore, the private bank can be slapped with heavy penalties like:
-
The Digital Personal Data Protection Act, 2023 imposes strict obligations on data fiduciaries: unlawful processing of personal data or continued processing after consent is withdrawn can invite penalties of up to ₹250 crore.
-
The TRAI Telecom Commercial Communications Customer Preference Regulations, 2018, under which unsolicited or repetitive commercial communications, including AI-driven or robo calls, can result in financial disincentives ranging from ₹1,000 per violation to ₹10 lakh or more, along with blacklisting of calling entities and suspension of telecom resources.
-
The Consumer Protection Act, 2019 treats persistent unsolicited calls and harassment as an unfair trade practice, empowering consumer commissions to award compensation for mental agony, impose punitive damages, and direct discontinuation of the practice.
-
Additionally, under Section 43A of the IT Act, 2000, unauthorised use of personal data can make an entity liable to pay damages by way of compensation to the affected individual.
-
Liability for criminal harassment by way of coercion under the Bharatiya Nyaya Sanhita, 2023.
-
The Reserve Bank of India, which has the power to impose monetary penalties, issue supervisory directions, and initiate compliance action against banks for customer harassment or misuse of personal data.
Consent in the Age of Automated Outreach
At the heart of the dispute lies the concept of consent. The complainant maintains that he never gave permission for his phone number to be used by the bank. Even if consent were inadvertently given at some point—through a misdirected form, a data aggregator, or a third-party platform—he argues that such consent cannot justify multiple daily calls.
Legal experts note that consent, under both consumer protection principles and telecom regulations, is meant to be specific, informed, and revocable. Automated calls, especially those made several times a day, risk crossing from legitimate communication into harassment. The use of AI systems further complicates the issue, as frequency and targeting are often determined by algorithms rather than human judgment, raising questions about proportionality and oversight.
As banks across India increasingly embrace automation to reduce costs and expand reach, individuals find themselves interacting with systems that can feel relentless and impersonal. The question now facing regulators—and possibly the courts—is whether technological efficiency can coexist with respect for personal boundaries, or whether the law must draw firmer lines around the right to be left alone.
