India’s New Telecom Act Raises Significant Privacy Concerns

India’s Department of Telecommunications (DoT) recently introduced the Telecommunications (Telecom Cyber Security) Rules, 2024, under the Telecom Act, 2023, to fortify telecom infrastructure against cyber threats. However, experts argue these measures lack sufficient safeguards for user privacy while imposing costly compliance burdens on telecom entities.

Under the new rules, telecom operators must report cybersecurity incidents within six hours and provide detailed follow-up information within 24 hours — timelines described as “unrealistic” by the Internet Freedom Foundation (IFF). For comparison, global standards, such as the EU's GDPR, require similar incidents to be reported within 72 hours.

The rules also permit the government to collect and share telecom metadata to ensure cybersecurity. While content data collection was omitted from the final draft, privacy advocates remain concerned. Namrata Maheshwari, senior policy counsel at Access Now, highlighted the absence of independent oversight to The Record, stating, “The law lacks clear restrictions on the government’s authority to collect such data, share it with other agencies, or store it.”

The rules’ vague phrasing around data usage further fuels fears of potential misuse. The IFF warns that such broad powers could lead to government overreach, endangering citizens' fundamental rights. Additionally, the government can suspend telecom services if users violate poorly defined obligations, raising further red flags.

Further, the IFF notes that the stringent timelines and detailed reporting obligations could lead to operational inefficiencies and increased costs, potentially impacting consumer pricing.

Though the rules include measures like a centralized reporting portal, these are seen as incremental improvements rather than comprehensive solutions.

Indian government handling of sensitive consumer data is also raising concerns due to its poor track record of cybersecurity. In 2024, an Indian Government-owned cloud server was discovered exposing citizen’s PII for years. Just a month later, hackers were found illegally planting links to betting sites on government websites.