Increased security and data protection coming online

The telecommunications industry is highly competitive, with telecom players constantly trying to outstrip each other and conquer the market. The industry consists of a few telecom service providers (TSP) supported by technical service providers and outsourced entities. TSPs are regulated by a complex regulatory framework overseen by the Department of Telecommunications (DoT) of the Ministry of Communications and the Telecom Regulatory Authority of India (TRAI). In 2022, the telecom sector had 1.2 billion mobile phone subscribers. This number, increasing monthly by 0.03 per cent, has seen a parallel increase in processing of personal data over telecom networks by TSPs. Risks of data breaches have correspondingly grown.

No specific data protection law regulates TSPs. Their processing of personal data falls under a patchwork of personal data protection and cybersecurity laws. General data protection is found in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules). These set out a consent-oriented model of processing where entities must have the consent of data owners before collecting sensitive personal data, such as health or financial information. The rules impose no specific data security measures and organisations must implement measures commensurate with the type of personal data involved.

By contrast, the recent Cybersecurity Directions issued by the Indian Computer Emergency Response Team (CERT-In) impose specific cybersecurity obligations on businesses. Organisations must report cyber incidents, such as data breaches to CERT-In within six hours of discovery. This may be the shortest global timeline for reporting incidents. Other obligations include the maintenance of logs and records, synchronising IT system time clocks and liaising with CERT-In.

The unified licence operating agreements TSPs have with the DoT contain added data protection and cybersecurity requirements. These include ensuring the privacy of communications over TSPs’ networks, preventing unauthorised interception, implementing data localisation, as TSPs are not generally allowed to transfer subscriber data outside India, and compliance with standards such as ISO 15408 and ISO 27001.

Not only are data transfers by TSPs out of India affected by data localisation. Inward transfers from European countries are caught under the DoT’s broad powers of interception and monitoring provided in the Indian Telegraph Act, 1885. These affect the storage of data concerning foreign subscribers. This law, coupled with other legislative powers of interception, poses a significant risk of state access to personal data held or transmitted by TSPs. Data exporters in the European Union often have to take technical, contractual and organisational measures to counter the reach of Indian law when transferring data. This involves added costs for data exporters and the TSPs.

Through the Telecom Commercial Communications Customer Preference Regulations, 2018, the TRAI and the TSPs together regulate the transmission of commercial communications, such as transactional or promotional messages and calls. TSPs may sanction errant telemarketers and businesses sending unsolicited commercial communications. If TSPs onboard service providers or outsource core telecom functions, they must impose regulation and indemnities on their technical service providers contractually.

The Digital Personal Data Protection Bill, 2022 will replace the SPDI rules with greater data protection. The TRAI is also exploring telecom data protection to empower users through rights of choice, notice, consent, data portability and to be forgotten. It wants greater detail in TSPs’ consent mechanisms, replacing token obligations under the SPDI rules with a more demanding consent and subscriber-driven regime.

Artificial intelligence will significantly affect the telecommunications industry, with increased robocalls, phishing, smishing and other AI-enabled scams and their necessary countermeasures. The antiquated Telegraph Act should be replaced by a more robust framework regulating telecommunications and data, the government’s power to intercept data and the digital theft of networks and data.

Mathew Chacko is a partner, Aadya Misra is a counsel at Spice Route Legal. Shambhavi Mishra and Ajeeth Srinivas, both associates, also contributed to the article.