Telecom Act- India And Its Relation To Digital Privacy And Data Protection Act Of 2023 – Broadcasting: Film, TV & Radio

Introduction

After the claims by a cybersecurity firm, CloudSEK, about its
research on having found that hackers are selling 1.8 terabyte of
database comprising 750 million Indian mobile consumers on the dark
web, the Department of Telecommunication has asked the telecom
service operators to conduct a security audit. The said information
comprises of sensitive personal information of telecom subscribers
that is, names, mobile numbers, addresses, and Aadhaar
details.¹

The magnitude of such data leak has the potential to lead huge
loss business and financial losses to both individuals and
organizations, identity theft, reputational damage and increased
susceptibility to cyberattacks.

India’s telecom industry is the second largest in the world
with a subscriber base of 1.181 bn as of September 2023 with one of
the highest consumers of data every day (approximately 5 hours of
daily time spend on smartphones).² Telecom sector
integrally runs on data, that is to say, in the course of
delivering their services, the telecom service providers get access
to massive amount of data of telecom subscribers which includes
call details, call records, calling patterns, locational data, data
usage information, device information, biometric information etc.
though the information is sensitive personal information, the
ownership, access, authority to use, transact and delete data
remain ambiguous.³

The Reforms

In 2023, two significant pieces of legislation, the
Telecommunication Act 2023 (hereinafter referred to as the
“Telecom Act”) and the Digital Personal Data Protection
Act, 2023 (hereinafter referred to as the “DPDP Act”)
came into existence that re-shaped the intersection of
telecommunications and data privacy. Understanding the relationship
between these Acts is essential in comprehending the contemporary
digital environment in telecommunications.

The Telecommunications Act, 2023

Definition of ‘Telecommunication’

The Telecom Act provides for a widened definition of the term
‘telecommunication’ under Section 2(p) to include
transmission, emission, or reception of any messages, by wire,
radio optical or other electro-magnetic systems, whether or not
such messages have been subjected to rearrangement, computation or
other processes by any means in the course of their transmission,
emission or reception.

Existing Standards of Privacy

The Indian Telegraph Act of 1885 and the Indian telegraphy act
of 1933 (hereinafter referred to as the “Telegraph Acts”)
never explicitly mentioned about protecting the privacy of users
and their data.

The provisions of licensing provided for protecting the data of
subscribers, have been insufficient as compared to the desired
level of data protection.

Risk of profiling– Whilst the
Telegraph Acts provided that the messages of individuals can only
be intercepted by the State, but there were no compelling
provisions stopping telecom providers from monitoring communication
and activity of subscribers.

Erroneous consent – Due to
insufficient data protection regulation, Service Providers could
save themselves for lack of accountability under the existing
regulations. Consent terms usually used to be vague with scope for
service providers to limit their liabilities to a large extent.

Respecting privacy of users –
Furthermore, there were no sufficient provisions or rules for
protecting the Individual privacy of users. Subscribers often get
spam calls and marketing emails from telecom service providers.

Resultantly, there have been several instances where personal
and confidential information of users was compromised. These
lingering issues and concerns accelerated the requirement for a
robust mechanism for protection of user data.

TRAI’s efforts

The Telecom Regulatory Authority of India (hereinafter referred
to as “TRAI”) issued a directive in 2010 to all the
telecom service providers directing them to ensure compliance of
terms and conditions of licence regarding confidentiality of
information of subscribers and privacy of communications. Thereby
requiring them to put in place appropriate mechanisms to prevent
breach of confidentiality.⁴

This reached a boiling point when TRAI (Telecom Regulatory
Authority of India) came up with a limit of 100 SMSs per day to
curb UCCs (Unsolicited Commercial Communications) however, this was
seen as arbitrary by the court and the same was mandated to be
scrapped for normal people but not for telemarketers who sent these
messages. In this case of Telecom Watchdog vs Union of
India⁵ and another , the courts emphasized upon the
annoyance and disturbance caused by these UCCs and the violation of
personal data that is caused as a result of this.

Over time, TRAI has issued a number of directions to the telecom
service providers, the recent one came on October 02, 2023 under
the Telecom Commercial Communication Customer Preference
Regulation, 2018 (“TCCCPR”) directing all telecom service
providers to develop and deploy the digital consent acquisition
facility in order to record customers’ consent digitally to
receive commercial communication and unsolicited
messages.⁶

In one of the cases, Nivedita Sharma v/s Bharathi Hexcom
Ltd⁷, the Hon’ble National Consumer Dispute
Redressal Forum, had reiterated that the constant bombardment of
telemarketing messages and the sharing of personal data by these
telecom operators with banks and other third parties was indeed an
offence. By sharing this data, they had violated the privacy of the
customer as many third parties such as insurance providers and
banks were given this data without the consent of the customer.
This judgement emphasized on Data Protection and the need for
telecom service providers to ensure the same.

The New Telecom Act

The Telecom Act prohibits interception of messages and calls of
telecom subscribers by prescribing punishment of upto three (03)
years or with a fine up to INR two (02) crores (20 million) or with
both. However, the Telegraph Act prescribed a penalty of INR five
hundred (500) along with imprisonment of up to 1 year.

While protecting the privacy of individuals, the Telecom Act,
also makes exceptions for the State for intercepting messages and
communication on the grounds of National Security, Friendly
Relations with Foreign states, Undermines the territorial integrity
and sovereignty of India, to preserve Public order and to prevent
the incitement to the commission of an offense.

However, the Telegraph Act provided two grounds for lawful
interception by State which is in the event of an ongoing public
emergency or an ongoing threat to public safety. To consider the
constitutionality of interception of messages and communication,
the Supreme Court in the case of People’s Union Of Civil
Liberties vs Union Of India And Anr. In 1996⁸, the
Supreme Court held that the government of India could not indulge
in the tapping of phones or the interception of messages under 5(2)
unless there is a public emergency or unless there is a threat to
public safety, which has been defined under paragraph 28 of this
judgement.

Addressing the Intersecting Realms between the Telecom Act and
Data Protection

The Digital Personal Data Protection Act, 2023 (hereinafter
referred to as the “DPDPA”), legislated to replace the
Sensitive Personal Data Protection Rules framed under section 43A
of the Information Technology Act, 2000 categorically specifies a
robust framework for protection of data by defining the rights,
duties and obligations of parties and grievance redressal. The
provisions of the DPDPA are applicable on ‘intermediaries’
and telecom service providers/operators be their very nature are
intermediaries and hence are data fiduciaries.

Telecom operators as Data Fiduciaries

Telecom operators are considered data fiduciaries under data
protection acts when they handle and process personal data of their
customers. A data fiduciary is an entity that determines the
purposes and means of processing personal data and is responsible
for ensuring that such data processing complies with relevant data
protection laws.

The Telecom Act of 2023 under Section 28 categorically prohibits
sending of ‘specified messages’ which include any message
offering, advertising or promoting goods, services, interest in
property, business opportunity, employment opportunity or
investment opportunity, whether or not such goods, services are
real or it is lawful to acquire such goods, services, etc. The
section further enumerated certain conditions to be observed by the
telecom operator such as:

1. Prior consent of users for receiving specified messages;




2. The telecom operators to maintain “Do not disturb”
   registers to ensure that users do not receive specified
   messages;




3. The mechanism to support users to report malware or specified
   messages




4. An online grievance Redressal mechanism should be establish to
   enable users to register grievances.

Thus, by virtue of the DPDPA, the telecom operators come within
the purview of the DPDPA and hence the key areas of intersection
include:

1. Privacy – The DPDPA Act primarily is
   founded on the concept of ensuring privacy of user information
   based on the adoption of prescribed methods of collection of
   disclosure of such information while the same is also ensured under
   the Telecom Act thereby prohibiting anyone, but state (in case of
   emergency) to intercept and monitor messages of users under section
   21. In the case of Nivedita Sharma v. Bharti Tele
   Ventures,⁹ the National Consumer Redressal Commission in
   2006 took note of the fact that subscribers often receive calls at
   odd hours and most of the time during personal and professional
   engagements of individuals which is gross violation of privacy. It
   was further observed that personal and confidential information of
   subscribers is also traded by telecom operators without obtaining
   consent or knowledge with third parties such a banks and financial
   institutions, etc. for monetary gains. This is against the
   contractual terms and leads to unjust enrichment of the telecom
   operators.




2. Transparency and Consent – Unsolicited
   calls and bulk messages cause threat to user privacy by interfering
   with individual peace and private life. Consent with purpose
   limitation here is of utmost importance. Consent architecture has
   been redefined in both the legislations mandating telecom operators
   to obtain consent from users before sending them ‘specified
   messages’. The Telecom operators have to ensure adherence with
   the requirements of section 6 of the DPDPA which defines the
   mechanism for obtaining such consent while obtaining consent from
   users.




3. Cyber Security – Section 22 of the
   Telecom Act empowers the Government to make rules for the measures
   to protect and ensure cyber security of telecommunication networks
   and telecommunication services. These measures include collection,
   analysis and dissemination of traffic data that is generated,
   transmitted, received or stored in telecommunication networks.
   Where traffic data means data generated, transmitted, received or
   stored in telecommunication networks including data relating to the
   type, routing, time or duration of a telecommunication.

Internationally set standards

To critically analyse the telecom act and the DPDP act, it is
only pertinent that we analyse them while comparing the same to
foreign telecom Operators:

1. a) United Kingdom:
   

   • The primary legislation that governs the telecommunications
     sector in the UK is the Communications Act of 2003.

   
   

   • Communication providers in the UK do not require a license to
     operate in the UK. They only require a license when they concern
     themselves with the use of spectrum or the use of radio
     apparatus.

   
   

   • The Office of Communications (Ofcom) is the primary regulator
     of UK telecommunications and regulates TV and radio sectors, fixed
     line telecommunications, mobiles, postal services, plus the
     airwaves over which wireless devices operate.

   
   

   • Just like in India, The Data protection act of the UK (1998)
     deals with the protection of personal data with regards to telecom
     operators and other entities.

   
   

   • Unlike in India, the UK has passed the National Security and
     Investment Act of 2021 and this allows for the UK government to
     intervene in acquisitions made in sensitive sectors including
     Telecom.

   
   

   • Ofcom aims to ensure universal access to telephone services and
     also periodically review the telecom market and impose conditions
     on “SMPs” or “Significant Market Power” telecom
     providers.

   
   

   • Ofcom also aims to act as a dispute redressal mechanism for
     consumers and service providers as well.

1. b) United States:

• In the USA, the Communications Act of 1934 authorizes the
  Federal Communication Commission (FCC) to regulate
  telecommunications, cable, wireless, satellite and other similar
  devices in the USA.




• The aforementioned act authorizes the FCC to regulate and
  provide licenses to telecommunication service providers and for the
  use of the Radio spectrum.




• The FCC has made many regulations with regards to the
  protection of the personal data of the users.

With the growth in technology, the law needs to keep up and
therefore, the new act regulating the telecom sector replaces the
age old Telegraph act of 1885, to specifically address the growing
concern over user privacy and control our data.

Akshay Krishna P, Assessment Intern at S.S. Rana
& Co. has assisted in the research of this
Article.

Footnotes

1
https://telecom.economictimes.indiatimes.com/news/industry/cybersecurity-firm-claims-data-leak-of-750-million-telecom-users-dot-asks-telcos-for-security-audit/107244949#:~:text=With%20the%20personal%20information%20of,Security%20Research%2C%20Sparsh%20Kulshrestha%20said

2 https://www.investindia.gov.in/sector/telecom

3 https://www.trai.gov.in/sites/default/files/Consultation_Paper%20_on_Privacy_Security_ownership_of_data_09082017.pdf

4 https://trai.gov.in/sites/default/files/Consultation_Paper%20_on_Privacy_Security_ownership_of_data_09082017.pdf

5 Telecom Watchdog vs Union of India and another
,W.P.(C)8529/2011

6 https://indiacorplaw.in/2023/12/the-dynamics-of-digital-consent-acquisition-the-traimandate.html

7 Nivedita Sharma v/s Bharthi Hexcom Ltd, Appeal NO.52 OF
2012

8 AIR1997SC568

9 Nivedita Sharma v/s Bharthi Hexcom Ltd, Appeal NO.52 OF
2012

10 https://indiankanoon.org/doc/31276692/

Related Posts

https://ssrana.in/articles/india-gets-new-telecom-act/
India gets its new Telecom Act

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.