ylliX - Online Advertising Network
First read on the Telecommunications (Telecom Cyber Security) Rules, 2024
latestnews

First read on the Telecommunications (Telecom Cyber Security) Rules, 2024

Written by News One


tl;dr

On November 21, 2024, the Department of Telecommunications (“DoT”) notified the Telecommunications (Telecom Cyber Security) Rules, 2024 (“Telecom Cyber Security Rules, 2024”). This is the first set of rules to be issued under the newly issued Telecommunications Act, 2023 (“Telecom Act”). Previously on August 28, 2024, DoT released the draft Telecommunications (Telecom Cyber Security) Rules, 2024 (“draft rules”) for public consultation providing a thirty-day timeframe for inviting comments. IFF has submitted detailed comments on the draft rules. It is to be noted that the responses received from stakeholders on the draft Telecom Cyber Security Rules have not been made public by the DoT as of date. This post includes IFF’s initial analysis of the Telecom Cyber Security Rules.

Important Documents

  1. Telecommunications (Telecom Cyber Security) Rules, 2024 (link)
  2. IFF’s analysis of the Draft Telecom Cyber Security Rules, 2024 (link)
  3. IFF’s consultation response on the Draft Telecom Cyber Security Rules, 2024 (link)
  4. The Telecommunications Act, 2023 (link)
  5. IFF’s first read of the Telecom Bill, 2023 (link)

Background

The Telecom Cyber Security Rules have been released in pursuance of Section 22(1) read with Section 56(2)(v) of the Telecom Act, which was enacted amid widespread chaos in the Parliament while over 140 opposition Members were suspended. The Telecom Act received Presidential Assent and was published in the gazette on December 24, 2024. On June 21, 2024, the Ministry of Communications issued a gazette notification to bring into effect certain sections of the Act, namely Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62, from June 26, 2024. 

The Telecom Cyber Security Rules are aimed at ensuring the security of the telecommunications industry by placing obligations on telecommunication (“telecom”) entities to undertake measures to protect cyber security.

Key changes in the Telecom Cyber Security Rules following public consultation

The meat of the Telecom Cyber Security Rules has been maintained from its draft version. However, certain key changes have been made in the legislation following the public consultation.

Removal of the definition of ‘traffic data’

Rule 2(1)(h) of the draft rules defined ‘traffic data’ as “… any data generated, transmitted, received or stored in telecommunication networks, including data relating to the type, routing, duration or time of a telecommunication”. In our consultation response, IFF raised the concern that the definition of traffic data is ambiguous and that its phrasing may be interpreted broadly to include the contents of messages in its definition. The risk remains that the definition of traffic data and the collection of the same by the Union government permitted by Rule 3 of the Telecom Cyber Security Rules could include messages and their contents which would result in significant violation of the privacy of users. However, instead of providing a clear definition of ‘traffic data’, the Telecom Cyber Security Rules have entirely omitted the definition of ‘traffic data’ which further intensifies the pre-existing definitional ambiguity. Now the Union government has additional wriggle room to delineate its understanding of ‘traffic data’ and misuse the same to broaden the scope of data that it may collect from telecom entities. 

Inclusion of purpose limitation for sharing of collected data

Rule 3(1) of the Telecom Cyber Security Rules allows the Union government (or any authorised agency) to collect traffic data as well as any other data from telecom entities. Further, Rule 3(2) allows the Union government to disseminate/share the collected data with any agency of the Union government engaged in law enforcement and security related activities, telecom entities and users. In contrast to the draft rules, Rule 3(2) of the Telecom Cyber Security Rules has been given a proviso stating that “Provided that any data so disseminated or shared, shall not be used for any purpose, other than for ensuring telecom cyber security.”. 

It is laudable that the government has taken a step towards data protection by including a purpose limitation for sharing of data. However, this does not begin to scratch the surface of the data privacy concerns in Rule 3(2) of the Telecom Cyber Security Rules. In its consultation response, IFF pointed out that the data collection and sharing powers awarded to the Union government come in the absence of any significant safeguards. Rule 3(2) does not specify which authority/ entity can analyse the collected data. Further, the overbroad phrasing used for both the justification for sharing the data (“protecting and ensuring telecom cyber security”) as well as the entities with whom such data may be shared, opens this provision up to potential misuse. Despite having offered recommendations, the Telecom Cyber Security Rules also do not specify any limitation on the duration for which such collected data can be stored, either by the telecom entity or by the entities/ users with whom it has been shared, effectively allowing data to be retained indefinitely without any legal or procedural constraints.  

Modification in reporting of security incidents 

Rule 7 of the draft rules required telecom entities to report the occurrence of security incidents along with the specified relevant information within a mere span of six (6) hours. The Telecom Cyber Security Rules has maintained the six (6) hour time frame for reporting security incidents along with relevant details of the affected system including the description of such incidents but has provided a period of twenty-four (24) hours to furnish all other relevant information. It is laudable that the information that telecom entities were to earlier furnish in six hours now may be compiled and reported in twenty-four hours, however, the fact remains that there is no change to the timeline for actual reporting of security incidents, the relaxation is limited to the furnishing of information related to the security incident. 

In our consultation response, IFF had argued that a six hour timeframe for reporting security is highly unrealistic and unfeasible for telecom entities. Instead of a thrust on quick reporting, the focus ought to be on allowing for a response time to the telecommunication entity and realistic timelines for accurate reporting. The prescribed timeline of six hours, for reporting security incidents or even the twenty-four hour timeline for furnishing information, is also not in line with global best practices. For instance, in the United States, the Cyber Incident Reporting for Critical Infrastructure Act prescribed a seventy-two (72) hour timeframe to report cyber incidents. Similarly, Article 33 of the General Data Protection Regulation allows for a span of seventy-two (72) hours to notify personal data breaches. Drawing reference to the same, IFF had recommended a timeframe of seventy-two (72) hours to report security incidents. However, the same has been disregarded and the pre-existing unfeasible timelines, which will most likely result in diminished quality of reporting, have been maintained in the Telecom Cyber Security Rules. 

Introduction of a portal for digital implementation of rules 

Rule 9 of the draft rules allowed the Union government to specify appropriate means for the digital implementation of the rules. The Telecom Cyber Security Rules have under Rule 9 stated that the Union government will notify a ‘portal’ for the digital implementation of these rules. Telecom entities would use this portal for reporting purposes and for making submissions under these rules. Having a centralised portal that would encompass all the compliance and reporting obligations under these rules is a huge boost for ease of doing business. If implemented effectively, the portal has the likelihood to significantly reduce compliance costs for telecom entities. 

IFF’s Statement on the Telecom Cyber Security Rules

On the whole, IFF asserts that the Telecom Cyber Security Rules have taken minor steps to accommodate the recommendations and comments raised during the public consultation, however, these are too insignificant a step to address the root cause of the concerns. The Telecom Cyber Security Rules do not uphold data protection principles and simultaneously have enacted a compliance heavy regime that telecom entities are likely to find cumbersome and costly. It does not serve the interests of Indian telecom users in advancing their privacy or cyber security meaningfully.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *