DoT rolls back order on Pre-installing of Sanchar Saathi App amidst Rising Privacy Concerns

By Vikrant Rana, Anuradha Gandhi and Prateek Chandgothia

Introduction

On November 28, 2025, the Department of Telecommunications (hereinafter referred to as ‘DoT’) issued an order (hereinafter referred to as ‘the order’) directing smartphone manufacturers and importers of mobile handsets to pre-install the state developed ‘Sanchar Saathi’ mobile application on all new devices intended to be sold in India. It also mandated that the app must be pushed through software updates for all devices that have already been manufactured and are in sales channels in India. The manufacturers and importers are given a 90 days implementation timeline and the deadline for submission of compliance report is set at 120 days.[1]

What is Sanchar Saathi?

The Sanchar Saathi is a web and mobile app based portal which was launched by DoT, in January 2025, to enhance user centric cyber security and increase user awareness. Users can:

Report suspected fraud communications and unsolicited commercial communication including international numbers,
Block lost/ stolen mobile handset,
Inquire about the mobile connection in the user’s name,
Know genuineness of their mobile handset,
Inquire about availability of internet service providers in their area.
It also hosts a directory of trusted contact details of bank/ financial institutions.[2]

Why is Government pushing for Pre-Installed Sanchar Saathi App?

The Government has stated the Sanchar Saathi portal has proved to be instrumental in preventing cyber frauds and other related unlawful activities. As per official data, the portal has been used:

To trace and block approximately 18 lakh lost or stolen mobile handset.
By approximately 291 lakh users to know the mobile connections in their name.
To take actions against approximately 96 lakh suspected cyber fraud communications.
This includes blacklisting of 257 principle entities, blocking of 2,27,288 mobile handsets, and disengaging 83,929 WhatsApp accounts amongst other actions. [3]

Government rolls back the Order

Initially, the DoT order mandated that manufacturers must ensure that the Sanchar Saathi App is easily accessible during the device setup, with no disabling or restriction of it features. This particular clause of the order sparked concerns for violation of User consent and discretion to determine the apps a user wants to have on her mobile device. In response to these concerns, the union minister of communications, Shri Jyotiraditya Scindia, later clarified in the Parliament that the Users will be able disable or delete the app from their devices.[4] However, on December 3, 2025, the Government revoked the order and rolled back the mandatory pre-loading of the Sanchar Saathi app after widespread privacy concerns.[5]

What were the Key Concerns?

Sanchar Saathi on all smartphones sold in India

In addition to the preloading of the app on mobile handsets manufactured in the future, the order stated that the manufacturers and imports of smartphones must also make an endeavor to push the app on devices already manufactured and are in sales channels through software updates. Now, specific software updates for devices sold after a particular date is not possible, therefore, if the app is pushed through a software update, it would have been pre-installed in all the devices sold in India.[6]

Pre-installing an app partially impedes User Consent

Pre-installing a mobile application removes an important layer of friction, i.e., the need for users to actively download and install the app on their devices. This friction serves a valuable purpose, as it allows users time to reflect on whether they truly wish to engage with the services offered by the application. Such a user experience consideration becomes even more significant in the context of India, where digital literacy is still evolving across society.

Apple expresses Concerns over the Order

Currently, iPhones constitute 9% of the Indian smartphone market.[7] Reportedly, Apple conveyed that it planned to not comply with the order of mandatory pre-installing of the Sanchar Saathi App. A company spokesperson cited that Apple did not comply with similar orders in any country around the world. The order raises security and user privacy issues in their IoS operating system.[8] The spokesperson also conveyed to leading news portals that there is a risk of users’ personal data, such as IMEI number and call history, being leaked from the portal and the app.[9]

Snooping Concerns over State Developed Applications

Privacy concerns around mandatory pre-installing of a State developed application in smartphones are deep-rooted in instance around the world. In October 2019, China’s communist party launched ‘Study the Great nation App’ which provided official news and images and encourages people to earn points by reading articles. The App was made mandatory for Party officials and civil servants and was tied to wages in some workplaces. As per report by Cure 53, a cybersecurity penetration tester company, the app contained a code resembling a back door, which was able to run arbitrary commands with super user privileges.[10]

What PI is collected by Sanchar Saathi App?

For undertaking the specified functions, the app will require some general permissions and some critical system level permissions. This includes:[11]

Reading and sending SMS,
Accessing call logs,
Using the internet,
Viewing the system information (such as phone number and serial number)
Checking whether a call is active and which number it is connected to,
Viewing network status,
Writing to external storage.
It also asks for camera permission to scan the barcode of the IMEI to check if a phone is genuine or stolen.

Government’s stance on DPDP Compliance of Sanchar Saathi

The Government has stated that the App is compliant with the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’) and the Rules thereunder (hereinafter referred to as ‘DPDP Rules’) and collects only the minimum personal information (hereinafter referred to as PI) necessary to provide services. Sanchar Saathi limits data collection to legitimate purposes, minimizes data capture, and implements clear consent mechanisms. The platform does not create profiles for commercial marketing, nor does it share user data with third parties. Data sharing is strictly limited to law enforcement when legally required, ensuring protection against unauthorized access and misuse of data.[12]

However, certain aspects such as the manner of consent withdrawal and exercising of User rights as per DPDPA, specific retention periods, and grievance redressal mechanism require some clarity. For now, the User can send in their requests or grievances through the ‘Contact Us’ page which provides the contact details of Sanchar Saathi Help Desk. Additionally the App’s Privacy Policy uploaded on the Sanchar Saathi Portal lacks clarity and transparency regarding the types of data collected and processed by the application and only mentions the types of permission it seeks. [13]

Lack of transparency causing Confusion

The Government’s push to mandatory pre-install Sanchar Saathi indicates towards an effort to prevent the rising menace of digital arrests, cyber frauds and other related unlawful activities in the cyberspace. On the face of it, this seems like a positive step towards citizen welfare, however, the opaqueness of the entire process sparked concerns amongst the Public. The Order was sent confidentially to the smartphone manufacturers without adequate consultation in the Parliament or disclosure to the general public.[14] Thereafter, the part of the order which mandated the smart manufacturers to ‘ensure the app is easily accessible during the device setup, with no disabling or restriction of its feature’, was later refuted by the Union minister of Communications in the Parliament.

When can the State intervene into Individual Privacy?

The Supreme Court in the Justice Puttaswamy Judgement[15] laid down a threefold test to evaluate the legality of State action which affects the right to privacy of the person(s):

The action must have a legislative mandate
There must be legitimate state aim
The state’s action must have a rational connection between the objective and the means used to achieve it.

In this context the legitimate state aim is being stated to be prevention of cyber frauds and cyber-crimes which seems substantial. The legislative mandate for this action may be derived from Section 20(2) of the Telecommunications Act, 2023[16] which gives the Government power to direct blocking, intercepting, detaining or disclosure of a message or class of messages if it is expedient to do so in the interest of the sovereignty and integrity of India, defense and security of the State, friendly relations with foreign States, public order, or for preventing incitement to the commission of any offence. Lastly, the rational nexus between the objective and the means used to achieve it is determined by courts on a case to case basis.

While big tech companies already bundle pre-installed apps with the mobile handset, pre-installing a state developed application for a specified purpose must pass the aforementioned conditions to satisfy the legality of the order. This legal question remains to be answered by the Courts.

In the Anuradha Bhasin Judgement[17] the Supreme Court observed that,

“Liberty and security have always been at loggerheads. The question before us, simply put, is what do we need more, liberty or security? Although the choice is seemingly challenging, we need to clear ourselves from the platitude of rhetoric and provide a meaningful answer so that every citizen has adequate security and sufficient liberty. The pendulum of preference should not swing in either extreme direction so that one preference compromises the other. It is not our forte to answer whether it is better to be free than secure or be secure rather than free. However, we are here only to ensure that citizens are provided all the rights and liberty to the highest extent in a given situation while ensuring security at the same time.”

This indicates that there can be no blanket answer to the balancing of liberty with security and the same can be only decided on a case by case basis.

Some of the recent developments of State intervention in User Privacy

DoT’s SIM Card Binding Directive

On November 28, 2025, DoT issued directions to major App Based Communication Services under the Telecom Cyber Security Rules, 2024[18] to implement Sim Card Binding. Currently, a user can verify the accounts on apps like WhatsApp, Telegram or Snapchat once and continue to keep using it even when the SIM card is removed, changed or even switch to Wi-Fi. This allows cybercriminals to exploit this security gap to run large‑scale, often cross‑border, and digital frauds. DoT has directed mandatory and continuous sim binding within 90 days.[19]

Search and Seizure of Virtual Digital Spaces by Tax Authorities

The Income Tax Bill, 2025 which was introduced in February 2025, gave sweeping search and seizure powers to tax authorities in relation to ‘Virtual digital space’ for certain specified purposes including carrying out an obligation under the law in force and for the purpose of law enforcement.

(To read more on the Income Tax Bill, 2025, refer to – https://ssrana.in/articles/digital-data-access-and-privacy-in-the-income-tax-bill-2025/ )

Digital Personal Data Protection Framework and Pre-installed Sanchar Saathi App

The applicability of the DPDPA and the DPDP Rules must be determined in 2 different cases.

Case 1: Prevention of cybercrime is included with the scope of ‘Security of State’ or ‘Public order’

In this case, Section 17(2)(a) of the DPDPA exempts the processing of PI by the state or its instrumentalities for the purpose of ensuring ‘security of state’ and ‘public order’. Therefore, this order shall be exempted and the processing of PI by Sanchar Saathi shall not be required to comply with the provisions of the DPDPA.

However, here the Schedule 2 of the DPDP Rules shall come into play which prescribes certain standards for processing of PI by State and its instrumentalities for the exempted purposes. These standards include:

Processing of PI must be limited to the specified exempted purpose
Reasonable efforts must be made to ensure completeness, accuracy and Consistency of PI.
Deletion of PI after the purpose is served
Implement Reasonable Security safeguards to prevent data breach
Accountability of the personal in charge of determining the purpose and means of processing PI must be determined.

Case 2: Prevention of cybercrime is not included within the scope of ‘Security of State’ or ‘Public order’.

In this case, the processing of PI through the Sanchar Saathi app shall comply with the provisions of the DPDPA. The Government would be the Data fiduciary and would be required to comply with the obligations of data fiduciaries as prescribed under DPDPA.

Therefore, in addition to the compliances mentioned in Case 1, following are some of the major obligations under the DPDPA with which the Government will need to comply:

Safeguard the Rights of Data Principals under Chapter III.
Obtain Consent under Section 6.
Provide Notice to the users in compliance with Section 5.
Report Personal Data breach to the Data Protection Board within 72 hours under Section 8 read with Rule 7.
Implement Grievance Redressal Mechanism under Section 8 (10)
Implement appropriate technical and organizational measure under Section 8(4)
Other Obligations as prescribed under the DPDPA and DPDP Rules respectively.