Introduction

Telecommunications, hailed as an 'essential service', forms the backbone of a country's economic growth and infrastructure. Telecommunication not only enables social connectivity, but also contributes significantly to the country's economy, facilitates remote working and education, and smoothens coordination during emergencies.

Over the last couple of years, the legal and regulatory landscape relating to technology and telecommunication has significantly evolved due to advancements in digital innovation and infrastructure. Accordingly, most legislations in the digital and information communication technology (ICT) sector have been undergoing transformational changes. However, as a byproduct of the digital transformation in the telecommunication sector, privacy and data protection-related concerns have arisen, which are now being discussed and regulated across the globe.

In India, such data protection concerns were sought to be addressed through the enactment of the Digital Personal Data Protection Act, 2023 (the Act). Shortly following this landmark development, on December 24, 2023, the Telecommunications Act, 2023 (the Telecom Act) was enacted which overhauled the century-old Indian Telegraph Act, 1885 (the Telegraph Act) and other laws that have so far governed the telecom regulatory space in India.

There is a great deal of similarity between the prevailing telecom regulatory framework in India and the Telecom Act in terms of fundamental concepts (like the requirement for authorization from the Government, robust subscriber verification formalities, regulation of telecom services, right to lawfully monitor and intercept the network, etc.). That said, an attempt has been made under the Telecom Act to consolidate and give a statutory basis to many such requirements as well as to prescribe stringent consequences for non-compliance.

Specifically in the telecommunications sector, privacy and data protection is a significant matter of concern as it involves the transmission of a wide range of sensitive and confidential information over its networks. Any unauthorized access and use of the information contained in telecom networks could potentially impact not just national security and business interests but also result in increased exposure to privacy risks and harm to individuals. It is, therefore, crucial to critically review the impact of the Telecom Act on the data protection-related aspects.

On the other hand, the Act, which is inspired by the General Data Protection Regulation (GDPR) to a large extent, emphasizes fundamental tenets of data protection like data minimization, purpose limitation, and storage limitation. Consent of data principals (akin to data subjects under the GDPR) is the main basis for processing data, along with a handful of other purposes (like compliance with law, performance of state functions, medical emergency, etc.) where personal data can be processed for certain other legitimate uses. There are requirements to implement appropriate technical and organizational measures to comply with the provisions of the Act and employ reasonable security safeguards to prevent personal data breaches. All entities that determine the purposes and means of processing are required to comply with such obligations. In addition to the above obligations that cut across all sectors and industries, the Act gives precedence to sectoral laws and regulations on specific aspects relating to cross-border data transfer.

Impact of the Telecom Act on data protection and cybersecurity

Use of verifiable biometric-based identification for subscriber verification

The Telecom Act prescribes that an authorized entity (i.e., an entity that has obtained authorization from the Central Government to provide telecommunication services, establish a telecommunication network, or possess radio equipment pursuant to the Telecom Act) should identify its subscribers of telecommunication services through the use of verifiable biometric-based identification. Notably, mandatory collection of verifiable biometric-based identification documents in such a manner could raise grave concerns relating to the unauthorized use of biometric information, and increased risk of biometric data breaches including financial fraud, identity theft, etc. It is therefore paramount to ensure that telecom entities that have access to biometric-based information use appropriate security controls commensurate with the nature of the data that is being processed. It is important to note that the use of biometric-based authentication methods under the Aadhaar framework by private entities (including telecom service providers) was struck down by the Supreme Court of India in the past. Thereafter, a series of amendments were introduced to legitimize the use of such methods, which sought to be further reinforced by way of the Telecom Act.

Requirement to use telecommunication identifiers

The Telecom Act requires authorized entities to use 'telecommunication identifiers' allocated by the Government. In simple terms, 'telecommunication identifiers' refer to digits, characters, symbols, or a combination of them, used to identify a particular user. If any person uses a telecommunication identifier not allotted or permitted under the Telecom Act, such person shall be punished with imprisonment for a term of up to three years or a fine of up to INR 5 million (approx. $60,000). With specific requirements to this effect and harsh ramifications for non-usage of allotted identifiers, features such as 'number masking,' and anonymization of caller identity (which are critical from the perspective of maintaining the privacy of calling parties) may no longer be available for use. Currently, the use of such features is rampant across various consumer services like food delivery, transportation, telemedicine, etc. which will require reassessment by service providers and platform enablers unless specifically exempted.

Powers of the Government

Under limited circumstances relating to public emergency, disaster management, or in the interest of public safety, the Government may take temporary possession of any telecommunication service or telecommunication network from an authorized entity. Additionally, under the prescribed circumstances, such Government powers can also extend to interception, detention, or requirement to disclose 'messages' shared between individuals in an intelligible format. In the absence of appropriate safeguards and regulatory oversight, such powers of the Government could result in concerns related to increased surveillance and monitoring of communication channels ultimately culminating in a chilling effect on the freedom of speech and expression of individuals. Given that most of these Government powers will be exercised in an opaque manner, especially when it is exercised in the interest of national security, there is limited visibility on how such vast amounts of personal data are collected and processed, the likelihood of misuse or abuse of such information, use of information for profiling of individuals, etc. Similar provisions are also present in the prevailing regulatory framework and despite prescribed checks and balances (which include the capability of only designated officers to raise such requests, scrutiny of such requests by a review committee, maintenance of confidentiality, etc.), such requests have always been a bone of contention between the Government and service providers. Such powers of the Government have also impacted data transfers from other jurisdictions. That said, it remains to be seen to what extent the Government's powers will be balanced against adequate procedural safeguards and judicial scrutiny to ensure minimal chances of abuse.

Potential conflict with prevailing cybersecurity laws

The Central Government also has the power to make rules setting out the measures to protect and ensure the cybersecurity of telecommunication networks and telecommunication services. Notably, there is a separate framework under the Information Technology Act, 2000 (IT Act) for cybersecurity and directions issued by the Indian Computer Emergency Response Team (CERT-In) which inter alia sets out the measures to be followed in case of cyber incidents and cybersecurity incidents. There have also been reports of the Telecom Computer Emergency Response Team (Telecom-CERT), i.e., the Department of Telecommunication's emergency response team for cybersecurity in telecommunications. With the new telecom law having the power to write rules for the future of cybersecurity in telecommunications, it will be interesting to witness how cybersecurity laws in telecom interplay with the prevailing general cybersecurity regime in India.

Standards for encryption and data processing

In addition to standards for cybersecurity, the Government can also prescribe standards for encryption and data processing in telecommunication. At present, the telecom license conditions allude to the IT Act on matters relating to encryption, but no encryption standards have been stipulated under the IT Act. The standalone Internet Service Provider (ISP) license in the preceding regime, however, set out a requirement for using 40-bit encryption which caused significant hardship in the industry and led to the removal of this requirement under the Unified License framework. It will have to be seen if a similar approach will be adopted under the Telecom Act.

Furnishing of information

If the Central Government is satisfied that any information, document, or record relating to inter alia telecommunication service or telecommunication network availed by any entity is necessary to be furnished for civil or criminal proceedings, such entity may be directed to furnish such information, document, or record. This would entail entities being compelled to disclose sensitive information that could compromise an individual's privacy expectations. Additionally, this could also raise concerns relating to the potential misuse and possible secondary uses of such data, if adequate data security practices are not implemented. Hence, it is pertinent that all such disclosure requests should be reviewed to ensure that it is aligned with the underlying principles of the data protection laws and do not culminate in unauthorized use of data.

Protection of users

The Telecom Act also promises to effectively address the unsolved menace of spam and unsolicited commercial communications. Notably, such communications known as 'specified messages' under the Telecom Act include any message offering, advertising, or promoting inter alia goods and services. The Central Government is likely to issue rules setting out the measures for the protection of users including requiring the prior consent of users for receiving specified messages, preparation and maintenance of 'Do Not Disturb' registers, including a mechanism to enable users to report malware or specified messages received in contravention of the rules. These rules will operate in conjunction with regulations issued by the Telecom Regulatory Authority of India for regulating commercial communications, which have been in existence for over half a decade. Such measures are crucial components of data protection as they aid in enhancing customer trust, safeguarding privacy, minimizing the risk of data breaches, and fostering responsible data processing by companies.

Duty of users

Lastly, the Telecom Act also casts a duty upon individuals to inter alia not furnish false information or impersonate another person while establishing identity for the purpose of availing telecommunication services. This enhances the accuracy of datasets, ultimately promoting greater accountability and deterrence for individuals to engage in malicious activities and misuse of telecommunication services. Given the fact that the information collected through telecommunications networks is often used for the investigation of offenses and detection of crime, imposing punishment against individuals for non-compliance with this duty increases the credibility of information processed in such circumstances.

Conclusion

Given that telecommunication networks are major targets for cybersecurity incidents at a large scale, data protection and cybersecurity practices hold paramount importance in the sphere of telecommunication. Accordingly, it is pertinent to ensure that all data processed in the context of telecommunications is carried out in line with standards set out under the prevailing data protection laws. Any deviation from compliance with the data protection laws should be specifically authorized under the prevailing laws and all processing activities should satisfy the test of legitimacy, necessity, and proportionality. All data protection principles, particularly, data minimization should be carefully applied for the collection and processing, and only the minimum amount of data that is required for the specific purpose for which it is processed to reduce unnecessary exposure of personal data.

Pertinently, the provisions of the Telecom Act also apply to offenses committed outside India, if such act or conduct in question involves a telecommunication service provided in India, or telecommunication equipment or telecommunication network located in India. Hence, all data processing activities of such foreign entities will have to be undertaken in line with the Act as well. Both the Telecom Act as well as the the Act being important pillars of technology and telecommunications in India were enacted around the same time and therefore compliance with both these laws will go hand in hand. While these laws are yet to take effect, it will be interesting to see companies aligning their businesses with the new regulations to foster a responsible digital future.

Harsh Walia Partner
[email protected]
Shobhit Chandra Counsel
[email protected]
Sanjuktha A. Yermal Associate
[email protected]
Khaitan & Co, Delhi