Home / Compliance Cues / Trade & Regulatory Compliance Updates / The Department of Telecommunication has released four draft rules for public consultation under the Telecom Act

The Department of Telecommunication has released four draft rules for public consultation under the Telecom Act

The Department of Telecommunication has released four draft rules for public consultation under the Telecom Act

While the Telecommunications Act, 2023 (Telecom Act) has been notified on 24th December 2024, it will come into force in a phased manner. The Ministry of Communications, vide gazette notifications dated 26th June 2024 and 4th July 2024, has brought into effect certain sections of the Telecom Act. Many provisions of the Telecom Act will be operationalized through rules. On 29th August 2024, the Department of Telecommunication (“DoT”) under the Ministry of Communication published drafts of the following four rules for public consultation till 27th September 2024 under the Telecom Act:

  • Draft Temporary Suspension of Telecommunication Services Rules, 2024: These draft rules intend to replace the extant Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017 (as amended) issued under the Indian Telegraph Act, 1885. The draft rules, to a large extent, retain the requirements outlined in the extant rules such as empowering the competent central/state authority to issue directions to suspend any telecommunication services for a period not exceeding 15 days, specifying the geographical extent of application, duration and reason for suspension of telecom services, review of orders passed by a committee led by the Cabinet Secretary/Chief Secretary, etc. However, some of the changes proposed may need further consideration. E.g. prescribing a period of a maximum of 15 calendar days for a suspension order is excessive (given that such orders are issued under exceptional and serious circumstances due to the wide ramifications and generally do not exceed 1- 3 days).
  • Draft Telecommunications (Procedures and Safeguards for Lawful Interception of Message) Rules, 2024: The Draft Rules, have mostly retained the requirements outlined in the extant rules for lawful interception under Rules 419 and 419A of the Indian Telegraph Rules, 1951 such as the designated competent authority, grounds for authorizing interception, the period for maintenance and destruction of interception orders, the procedure for implementing an interception order, etc. However, the draft rules also seek to introduce the following key changes:
    • Requiring entities establishing/operating/maintaining telecom networks (such as terrestrial or satellite networks, etc.), in addition to telecom service providers, to comply with interception orders.
    • DoT and Telecom service providers must undertake measures to prevent unauthorized interception,
    • The provision to fine or suspend/revoke the license of telecom service providers for not maintaining secrecy and confidentiality of interception orders/for unauthorized interception has been removed.
    • There is a clear exclusion for demonstration and testing of lawful interception systems and monitoring facilities that telecom entities might be required to put in place by the Government. However. the term “lawful interception systems and monitoring facilities” has not been defined.

    The draft rules suffer from the same shortcomings that the extant regime on interception is subject to, in so far as, the lack of appropriate safeguards for protecting the privacy of individuals (despite the right to privacy being recognized as a fundamental right) and the lack of meaningful and independent judicial or parliamentary oversight. Also given the wide definitions of terms in the Telecom Act describing and defining relevant and applicable stakeholders, at this stage it is unclear whether OTT communication services will be covered within the purview of the interception orders or not.

  • Draft Telecommunications (Telecom Cyber Security) Rules, 2024: These Draft Rules seek to replace the Mobile Device Equipment Identification Number Rules of 2017 (as amended). Further, the Draft Rules empower the central government/ its authorized agency to ‘seek traffic data’ and any other data from a telecommunication entity for cyber security. Additionally, these rules require telecom entities to:
    • adopt a telecom cyber security policy,
    • comply with prescribed standards,
    • conduct a periodic audit,
    • appoint a Chief Telecommunication Security Officer,
    • establish facilities such as a Security Operations Centre to monitor cyber security threats, details of threat actors, maintenance of logs, etc.
    • report any security incident within 6 hours to the Central Government,
    • prohibit or limit access to telecommunication services to designated persons for 3 years.

    The Draft Rules also require all mobile devices to have their identification numbers (IMEI) registered with the Government, and in case of any tampering with the IMEI or device, the devices will be blocked by the Government from accessing networks.

  • Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024: The Telecom Act introduces the concept of ‘Critical Telecommunication Infrastructure’ (“CTIs”) which would be a telecommunication network, or its part notified by the central government, which if disrupted would have a ‘debilitating impact on national security, economy, public health or safety’. These Draft Rules require telecom entities, upon request of the Central Government, to disclose details of their networks, services, and equipment to the Government to enable identification and notification of CTIs.
  • The CTIs have to inter alia:

    • allow the Central Government to inspect the software and hardware of CTIs of telecom entities,
    • implement security measures and maintain records,
    • provide details to the government of their Cyber Crisis Management Plan,
    • inform the Central Government within two hours of a security incident, etc.

    The Chief Telecom Security Officer has been made responsible for the implementation of these draft rules.

Our Take

While the effort of the DoT to undertake public consultation on the draft rules is laudatory, there are several aspects that require further and careful deliberations. For instance, there is a need to institute a specific provision in the Telecom Act itself which requires the Government/regulator to undertake a public consultation process before notification of any regulations/rules. Furthermore, such regulations/rules should have a sunset clause or a requirement to review the same every 5-10 years.

Another aspect that requires clarification is with respect to the applicability of the Telecom Act and rules thereunder to OTT communication services. The definitions of terms like ‘telecommunication services’ and ‘telecommunication entity’ under the Telecom Act and draft rules are wide enough to include OTT Communication Services like WhatsApp, iMessage, etc. within its ambit. This has understandably caused a lot of regulatory uncertainty about the applicability of the Act to such services. In case the Telecom Act and the Draft Rules are made applicable to OTT Communication Services, then the authorities could, among other things, order the interception of messages exchanged over such services which offer end-to-end encryption. Accordingly, the DoT should issue a formal clarification regarding the applicability of the Telecom Act and the rules made thereunder to OTT communication services.

The Draft Rules lack substantive safeguards against executive overreach as they mandate a review of orders issued for interception, and suspension of telecom services by authorities to a review committee headed by the Cabinet Secretary/Chief Secretary, therefore retaining executive control. The Srikrishna Committee Report in 2018 noted that the Review Committee has an unrealistic task of reviewing 15000-18000 interception orders in every review meeting held once in 2 months, which calls into question their ability to properly scrutinize these orders. The report also highlighted the need for parliamentary or judicial approval/oversight of such orders and noted that executive review alone is not in tandem with comparative models in democratic nations which either provide for legislative oversight (Germany), judicial approval (UK) or both (South Africa).

Links