The Telecommunications Act, 2023 (the Telecom Act), which came into force in June 2024, is a significant step forward to address India’s evolving digital landscape. It amends and consolidates the legislative regime which was spread across a number of statutes.
The primary purpose of the Telecom Act is to facilitate development, expansion and operation of telecom services and telecommunication networks and matters connected therewith or incidental thereto such as assignment of spectrum, improving telecommunication standards, prescribe conformity assessment measures for telecom service providers (TSPs), and set up regulatory sandboxes.
Since the permitted activities of the TSPs ultimately affect almost every resident of India, the regulation should be evaluated on inter alia the following metrics: (i) impact on the privacy of the end customers; (ii) ease of doing business; and (iii) sustainability of the legislation in view of continual technological advancements in the sector including artificial intelligence.
The Telecom Act must also be consistent with the rights sought to be established under the Digital Personal Data Protection Act, 2023 (DPDPA), India’s first comprehensive legislation on data privacy and protection. The DPDPA received Presidential assent on 11 August 2023 and has been published for general information, but it is yet to come into force, and the rules under the DPDPA have yet to be framed.
An important provision of the Telecom Act is that TSPs must identify their customers through verifiable biometric identification in the prescribed form although this provision is yet to come into force. The collection, use and storage of personal data i.e., any data about an individual who is identifiable by such data would be governed by the DPDPA when it comes into force. The biometric details of an individual qualify as personal data and thus the processing of such data further to the Telecom Act must align with the DPDPA.
Under the DPDPA, a TSP which collects biometric data of its customers is responsible for keeping such data secure and take reasonable security safeguards to prevent personal data breaches. Given the burgeoning growth in the sector some or all of the TSPs are likely to be categorised as ‘Significant Data Fiduciaries’ under the DPDPA. Such Fiduciaries would have to undertake significant obligations including periodic Data Protection Impact Assessment, a process that would assess and manage the risk to the rights of the consumer, a periodic audit, and other measures consistent with DPDPA The rules to be framed under the DPDPA are expected to set out the security safeguards to be implemented for processing of personal data.
The Telecom Act does not explain why TSPs must collect biometric information nor identifies what biometric information must be collected. This is all the more puzzling since UIDAI has been set up specifically for issuing unique identity proof and collecting biometrics.
Although the Telecom Act does not define biometric information, under the extant Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) ‘biometrics’ include technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, ‘facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes. Authorised third parties are entitled to and do carry on KYC checks via UIDAI. TSPs may easily be authorised to conduct Aadhar based verification of customers through the e-KYC portal set up by UIDAI. The e-KYC allows private agencies to authenticate their consumers through an Aadhar verification without sharing any core biometrics, thus eliminating any need for TSPs to collect and retain excessive personal data. There is no justification for TSPs collecting and storing biometric information of customers. In this context it is relevant to note the Puttaswamy judgment of the Supreme Court, which rightly emphasised that extensive use of biometric data through Aadhar KYC authentication, especially by private entities, could seriously breach privacy of individuals. The apex court has characterised biometric data to be innately human and has therefore ruled against the mandatory use of Aadhar for services as the extensive collection of data is an invasion of a person’s privacy.
Apart from not providing even an explanation why TSPs must collect biometric data the Telecom Act provides no mechanism as to how the biometric data would be collected, where would it be stored or how and why such information may be shared. This runs counter to the principles of the DPDPA and is likely a violation of the Constitutional right to privacy. It is also moot if TSPs have the capabilities to collect and store biometric data of all customers. Indeed, TSPs and customers are put at risk by this stipulation of the Telecom Act.
Further TSPs often connect with each other to enable services, domestically or internationally, and this codependence requires data sharing. In September 2024, Reliance Jio and Bharati Airtel announced a joint venture to combine and sell network Application Programming Interfaces (APIs) globally. This is expected to combine network APIs throughout the world and make newer telecom technologies more accessible, resulting in significant amounts of data pooling and sharing across companies. Even otherwise, TSPs use cloud services to store and manage their data which poses significant risks to end customer privacy including inadequate encryption, insufficient access controls, or vulnerability in cloud infrastructure can lead to serious data breaches.
Additionally, the Digital Bharat Nidhi Rules, 2024 under the Telecom Act mandate for any Digital Bharat Nidhi implementer, who is receiving funding for establishing and operating a telecom network, to make such network and telecom services available on an open and non-discriminatory basis, thus putting the personal data that might be collected by the TSP in a very vulnerable position. Any TSP with weak security measures could risk the interconnected network to be intercepted or exposed to significant data breaches.
The cybersecurity firm Zscaler has ranked India as the third-largest country globally for phishing attacks and the technology industry was the target of nearly 33 percent of these attacks. In May 2024, the Department of Telecommunications (DoT) had directed telecom operators to block all incoming international spoofed calls that displayed Indian mobile numbers, as these numbers were committing financial frauds by misusing customer data. In the same month, DoT also issued directions to block 28,200 mobile handsets and reverify almost 20 lakh mobile connections that were suspected to have carried out financial frauds. It would be safe to infer that India has a lot mobile phone users, about 1.2 billion of them, but most might not understand the complexities of such crimes or the precautions to keep them from falling prey. This stipulation therefore has the potential of making customers of TSPs more vulnerable to cyber crimes.
It is important to note that India’s privacy ecosystem is nascent. The lack of awareness of customers may be further exacerbated by the risk of deepfake technology. The US defines Deepfake AI as “technology that creates synthetic images and videos that look realistic”, it works by manipulating facial features of one person digitally to look like someone else entirely. Deepfake technology can also be used on videos and voice clones. India is already tackling an alarming number of cyber crimes committed using deepfake technology and the Minister of Electronics & IT has acknowledged deepfakes as a serious threat to democracy and social institutions across the world.
The Telecom Act also provides for Regulatory Sandboxes, which are live testing environments that would be created for products and services in the telecom industry to be tried with limited consumers. Sandboxes act as fertile grounds for fostering innovation within the industry. With TSPs set to identify their consumers through biometric information, regulatory sandboxes would also increase risks to personal data. The data collected by TSPs would be accessible to everyone in the sandbox creating multiple nodes for data leakage amongst TSPs who may not maintain the same data protection standards across the board. TRAI in their recommendations on Regulatory Sandboxes has emphasised the importance of securely storing and disposing of data generated during sandbox testing. Stakeholders have also suggested that anonymisation of data used in the sandbox would ensure data protection of the biometric information collected.
The Draft Telecommunications (Telecom Cyber Security) Rules, 2024 released for public comments in August 2024, seek to govern the process of data collection under the Telecom Act and safety standards that would be required to be implemented by TSPs while doing so. These rules address the manner in which any data generated, received or stored in telecommunication networks including data relating to the type, routing, duration or time of a telecommunication (i.e., traffic data) is collected, processed and transmitted. As per the draft, the Central Government may prescribe digital and other mechanisms for stakeholders and regulatory authorities to identify anyone who endangers telecom cyber security. Even if biometric data collection is one of the mechanisms, these draft rules do not address the timeline on data retention of such biometric data or prescribe a limit on agencies who can process such data.
It is, therefore, crucial that the proposed collection of biometric data must only be enforced after a proper legislative and regulatory framework is in place consistent with the principles of data minimisation and data protection under the DPDPA.
To view all formatting for this article (eg, tables, footnotes), please access the original here.
Bharucha & Partners – Kaushik Moitra and Karnika Vallabh
