Telecom Act- India and its relation to Digital Privacy and Data Protection Act of 2023

April 12, 2024
Data Protection

By Anuradha Gandhi, Apalka Bareja & Rachita Thakur

Introduction

After the claims by a cybersecurity firm, CloudSEK, about its research on having found that hackers are selling 1.8 terabyte of database comprising 750 million Indian mobile consumers on the dark web, the Department of Telecommunication has asked the telecom service operators to conduct a security audit. The said information comprises of sensitive personal information of telecom subscribers that is, names, mobile numbers, addresses, and Aadhaar details.[1]

The magnitude of such data leak has the potential to lead huge loss business and financial losses to both individuals and organizations, identity theft, reputational damage and increased susceptibility to cyberattacks.

India’s telecom industry is the second largest in the world with a subscriber base of 1.181 bn as of September 2023 with one of the highest consumers of data every day (approximately 5 hours of daily time spend on smartphones).[2] Telecom sector integrally runs on data, that is to say, in the course of delivering their services, the telecom service providers get access to massive amount of data of telecom subscribers which includes call details, call records, calling patterns, locational data, data usage information, device information, biometric information etc. though the information is sensitive personal information, the ownership, access, authority to use, transact and delete data remain ambiguous.[3]

The Reforms

In 2023, two significant pieces of legislation, the Telecommunication Act 2023 (hereinafter referred to as the “Telecom Act”) and the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDP Act”) came into existence that re-shaped the intersection of telecommunications and data privacy. Understanding the relationship between these Acts is essential in comprehending the contemporary digital environment in telecommunications

The Telecommunications Act, 2023

Definition of ‘Telecommunication’
The Telecom Act provides for a widened definition of the term ‘telecommunication’ under Section 2(p) to include transmission, emission, or reception of any messages, by wire, radio optical or other electro-magnetic systems, whether or not such messages have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception.

Existing Standards of Privacy

The Indian Telegraph Act of 1885 and the Indian telegraphy act of 1933 (hereinafter referred to as the “Telegraph Acts”) never explicitly mentioned about protecting the privacy of users and their data.

The provisions of licensing provided for protecting the data of subscribers, have been insufficient as compared to the desired level of data protection.

Risk of profiling– Whilst the Telegraph Acts provided that the messages of individuals can only be intercepted by the State, but there were no compelling provisions stopping telecom providers from monitoring communication and activity of subscribers.

Erroneous consent – Due to insufficient data protection regulation, Service Providers could save themselves for lack of accountability under the existing regulations. Consent terms usually used to be vague with scope for service providers to limit their liabilities to a large extent.

Respecting privacy of users – Furthermore, there were no sufficient provisions or rules for protecting the Individual privacy of users. Subscribers often get spam calls and marketing emails from telecom service providers.

Resultantly, there have been several instances where personal and confidential information of users was compromised. These lingering issues and concerns accelerated the requirement for a robust mechanism for protection of user data.

TRAI’s efforts

The Telecom Regulatory Authority of India (hereinafter referred to as “TRAI”) issued a directive in 2010 to all the telecom service providers directing them to ensure compliance of terms and conditions of licence regarding confidentiality of information of subscribers and privacy of communications. Thereby requiring them to put in place appropriate mechanisms to prevent breach of confidentiality.[4]

This reached a boiling point when TRAI (Telecom Regulatory Authority of India) came up with a limit of 100 SMSs per day to curb UCCs (Unsolicited Commercial Communications) however, this was seen as arbitrary by the court and the same was mandated to be scrapped for normal people but not for telemarketers who sent these messages. In this case of Telecom Watchdog vs Union of India[5] and another , the courts emphasized upon the annoyance and disturbance caused by these UCCs and the violation of personal data that is caused as a result of this.

Over time, TRAI has issued a number of directions to the telecom service providers, the recent one came on October 02, 2023 under the Telecom Commercial Communication Customer Preference Regulation, 2018 (“TCCCPR”) directing all telecom service providers to develop and deploy the digital consent acquisition facility in order to record customers’ consent digitally to receive commercial communication and unsolicited messages.[6]

In one of the cases, Nivedita Sharma v/s Bharathi Hexcom Ltd[7], the Hon’ble National Consumer Dispute Redressal Forum, had reiterated that the constant bombardment of telemarketing messages and the sharing of personal data by these telecom operators with banks and other third parties was indeed an offence. By sharing this data, they had violated the privacy of the customer as many third parties such as insurance providers and banks were given this data without the consent of the customer. This judgement emphasized on Data Protection and the need for telecom service providers to ensure the same.

The New Telecom Act

The Telecom Act prohibits interception of messages and calls of telecom subscribers by prescribing punishment of upto three (03) years or with a fine up to INR two (02) crores (20 million) or with both. However, the Telegraph Act prescribed a penalty of INR five hundred (500) along with imprisonment of up to 1 year.

While protecting the privacy of individuals, the Telecom Act, also makes exceptions for the State for intercepting messages and communication on the grounds of National Security, Friendly Relations with Foreign states, Undermines the territorial integrity and sovereignty of India, to preserve Public order and to prevent the incitement to the commission of an offense.

However, the Telegraph Act provided two grounds for lawful interception by State which is in the event of an ongoing public emergency or an ongoing threat to public safety. To consider the constitutionality of interception of messages and communication, the Supreme Court in the case of People’s Union Of Civil Liberties vs Union Of India And Anr. In 1996[8], the Supreme Court held that the government of India could not indulge in the tapping of phones or the interception of messages under 5(2) unless there is a public emergency or unless there is a threat to public safety, which has been defined under paragraph 28 of this judgement.

Addressing the Intersecting Realms between the Telecom Act and Data Protection

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDPA”), legislated to replace the Sensitive Personal Data Protection Rules framed under section 43A of the Information Technology Act, 2000 categorically specifies a robust framework for protection of data by defining the rights, duties and obligations of parties and grievance redressal. The provisions of the DPDPA are applicable on ‘intermediaries’ and telecom service providers/operators be their very nature are intermediaries and hence are data fiduciaries.

Telecom operators as Data Fiduciaries

Telecom operators are considered data fiduciaries under data protection acts when they handle and process personal data of their customers. A data fiduciary is an entity that determines the purposes and means of processing personal data and is responsible for ensuring that such data processing complies with relevant data protection laws.

The Telecom Act of 2023 under Section 28 categorically prohibits sending of ‘specified messages’ which include any message offering, advertising or promoting goods, services, interest in property, business opportunity, employment opportunity or investment opportunity, whether or not such goods, services are real or it is lawful to acquire such goods, services, etc. The section further enumerated certain conditions to be observed by the telecom operator such as:

  1. Prior consent of users for receiving specified messages;
  2. The telecom operators to maintain “Do not disturb” registers to ensure that users do not receive specified messages;
  3. The mechanism to support users to report malware or specified messages
  4. An online grievance Redressal mechanism should be establish to enable users to register grievances.

Thus, by virtue of the DPDPA, the telecom operators come within the purview of the DPDPA and hence the key areas of intersection include:

  1. Privacy – The DPDPA Act primarily is founded on the concept of ensuring privacy of user information based on the adoption of prescribed methods of collection of disclosure of such information while the same is also ensured under the Telecom Act thereby prohibiting anyone, but state (in case of emergency) to intercept and monitor messages of users under section 21.
    In the case of Nivedita Sharma v. Bharti Tele Ventures,[9] the National Consumer Redressal Commission in 2006 took note of the fact that subscribers often receive calls at odd hours and most of the time during personal and professional engagements of individuals which is gross violation of privacy. It was further observed that personal and confidential information of subscribers is also traded by telecom operators without obtaining consent or knowledge with third parties such a banks and financial institutions, etc. for monetary gains. This is against the contractual terms and leads to unjust enrichment of the telecom operators.
  2. Transparency and Consent – Unsolicited calls and bulk messages cause threat to user privacy by interfering with individual peace and private life. Consent with purpose limitation here is of utmost importance. Consent architecture has been redefined in both the legislations mandating telecom operators to obtain consent from users before sending them ‘specified messages’. The Telecom operators have to ensure adherence with the requirements of section 6 of the DPDPA which defines the mechanism for obtaining such consent while obtaining consent from users.
  3. Cyber Security – Section 22 of the Telecom Act empowers the Government to make rules for the measures to protect and ensure cyber security of telecommunication networks and telecommunication services. These measures include collection, analysis and dissemination of traffic data that is generated, transmitted, received or stored in telecommunication networks. Where traffic data means data generated, transmitted, received or stored in telecommunication networks including data relating to the type, routing, time or duration of a telecommunication.

Internationally set standards

To critically analyse the telecom act and the DPDP act, it is only pertinent that we analyse them while comparing the same to foreign telecom Operators:
a) United Kingdom:

  • The primary legislation that governs the telecommunications sector in the UK is the Communications Act of 2003.
  • Communication providers in the UK do not require a license to operate in the UK. They only require a license when they concern themselves with the use of spectrum or the use of radio apparatus.
  • The Office of Communications (Ofcom) is the primary regulator of UK telecommunications and regulates TV and radio sectors, fixed line telecommunications, mobiles, postal services, plus the airwaves over which wireless devices operate.
  • Just like in India, The Data protection act of the UK (1998) deals with the protection of personal data with regards to telecom operators and other entities.
  • Unlike in India, the UK has passed the National Security and Investment Act of 2021 and this allows for the UK government to intervene in acquisitions made in sensitive sectors including Telecom.
  • Ofcom aims to ensure universal access to telephone services and also periodically review the telecom market and impose conditions on “SMPs” or “Significant Market Power” telecom providers.
  • Ofcom also aims to act as a dispute redressal mechanism for consumers and service providers as well.

b) United States:

  • In the USA, the Communications Act of 1934 authorizes the Federal Communication Commission (FCC) to regulate telecommunications, cable, wireless, satellite and other similar devices in the USA.
  • The aforementioned act authorizes the FCC to regulate and provide licenses to telecommunication service providers and for the use of the Radio spectrum.
  • The FCC has made many regulations with regards to the protection of the personal data of the users.

With the growth in technology, the law needs to keep up and therefore, the new act regulating the telecom sector replaces the age old Telegraph act of 1885, to specifically address the growing concern over user privacy and control our data.

Akshay Krishna P, Assessment Intern at S.S. Rana & Co. has assisted in the research of this Article.

[1] https://telecom.economictimes.indiatimes.com/news/industry/cybersecurity-firm-claims-data-leak-of-750-million-telecom-users-dot-asks-telcos-for-security-audit/107244949#:~:text=With%20the%20personal%20information%20of,Security%20Research%2C%20Sparsh%20Kulshrestha%20said

[2] https://www.investindia.gov.in/sector/telecom

[3] https://www.trai.gov.in/sites/default/files/Consultation_Paper%20_on_Privacy_Security_ownership_of_data_09082017.pdf

[4] https://trai.gov.in/sites/default/files/Consultation_Paper%20_on_Privacy_Security_ownership_of_data_09082017.pdf

[5] Telecom Watchdog vs Union of India and another ,W.P.(C)8529/2011

[6] https://indiacorplaw.in/2023/12/the-dynamics-of-digital-consent-acquisition-the-trai-mandate.html

[7] Nivedita Sharma v/s Bharthi Hexcom Ltd, Appeal NO.52 OF 2012

[9] AIR1997SC568

[9] Nivedita Sharma v/s Bharthi Hexcom Ltd, Appeal NO.52 OF 2012

[10] https://indiankanoon.org/doc/31276692/

Related Posts

India gets its new Telecom Act

For more information please contact us at : info@ssrana.com