TeleCon-ing us? – IFF’s Submissions to the DoT on the draft 2024 Telecom Rules

tl;dr

On August 28, 2024, the Department of Telecommunications [“DoT”], Ministry of Communications [“MoC”] released four draft rules under the Telecommunications Act, 2023 [“Telecom Act’], namely the draft Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 [“draft Interception Rules”], draft Temporary Suspension of Telecommunication Services Rules, 2024 [“draft Suspension Rules”], draft Telecommunications (Telecom Cyber Security) Rules, 2024 [“draft Cyber Security Rules”] and draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 [“draft CTI Rules”]. First published in the eGazette on August 29, 2024, all four draft Rules have been opened up for objections or suggestions by the MoC for 30 days. Given the wide-ranging implications of these draft Rules on our constitutional freedoms, we have written to MoC and submitted our in-depth comments and recommendations on each of the draft rules. This post includes a summary of the comments and recommendations we made to MoC.

Important documents

1. Draft Telecommunication Interception Rules, 2024 (link)
2. Draft Temporary Suspension of Telecommunication Services Rules, 2024 (link)
3. Draft Telecom Cyber Security Rules, 2024 (link)
4. Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
5. IFF’s Consultation Response on the Draft Telecommunication Interception Rules, 2024 (link)
6. IFF’s Consultation Response on the Draft Temporary Suspension of Telecommunication Services Rules, 2024 (link)
7. IFF’s Consultation Response on the Draft Telecom Cyber Security Rules, 2024 (link)
8. IFF’s Consultation Response on the Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
9. The Telecommunications Act, 2023 (link)
10. E-gazette notification for enforcement of sections of the Telecommunications Act, 2023 dated June 21, 2024 (link)
11. Public Brief on draft Indian Telecommunication Bill, 2022 dated October 27, 2022 (link)
12. IFF’s first read of the Telecom Bill, 2023 (link)
13. IFF’s first read of the Draft Telecommunication Interception Rules, 2024 (link) 
14. IFF’s first read of the Draft Temporary Suspension of Telecommunication Services Rules, 2024 (link)
15. IFF’s first read the Draft Telecom Cyber Security Rules, 2024 (link)
16. IFF’s first read of the Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)

Background

These draft Rules have been released in pursuance of Section 20(2)(a), Section 20(4) read with Section 56(2)(t)(u) of the Telecommunications [“Telecom”] Act, 2023, which was enacted amid widespread chaos in the Parliament while over 140 opposition Members were suspended. The Telecom Act, 2023 received Presidential Assent and was published in the gazette on December 24, 2024. On June 21, 2024, the MoC issued a gazette notification to bring into effect certain sections of the Act, namely Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62, from June 26, 2024. 

The draft 2024 Rules seek to supersede certain existing rules and provisions. The draft Interception Rules supersede Rules 419 and 419A of the Indian Telegraph Rules, 1951. The draft Suspension Rules supersede the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017 [“2017 Suspension Rules”] and Temporary Suspension of Telecom Services (Amendment) Rules, 2020. The draft Cyber Security Rules supersede the Prevention of the Tampering of the Mobile Device Equipment Identification Number Rules, 2017 and the Mobile Device Equipment Identification Number (Amendment) Rules, 2022. However, the draft CTI Rules do not supersede any existing legislation. 

As per a statement made by the Union Minister of Communications, Jyotiraditya Scindia, in July 2024, all the Rules and provisions of the Telecom Act, 2023 will be notified within six months. While some of the Telecom Rules have been notified, and some have been released for public input, some Rules have yet to be released. 

Our submissions on the draft Interception Rules

1. Widened scope of interception 

The 2022 draft version of the Telecom Bill was met with widespread opposition due to its extensive expansion of the definition of ‘telecommunication services,’ which encompassed numerous services, such as broadcasting services (Direct to Home services, community radio stations), internet-based services (electronic mail, voice and video communication services), data communication and connectivity services (fixed and mobile services, internet and broadband services), satellite and machine-to-machine communication services (machine-to-machine communication), and over-the-top (“OTT”) communication services (Google Meet, interpersonal end-to-end encrypted communication services like Signal). Although the 2023 version of the Telecom Act notably omits these explicit references, the lack of explicit exclusions for these services leaves ambiguity, allowing the possibility that several alarming provisions related to surveillance, possession, suspension, authorisation, interception, etc. in the Act could still be applied to a wide array of internet services Although the then Union Minister of MoC, Ashwini Vaishnaw publicly clarified that OTT services will not fall within the scope of the Act, this assurance is not legally binding, as the text of the Act does not expressly exclude these services. To avoid expansion or re-interpretation of the scope in the future, the DoT must explicitly exclude internet services in the definition of ‘telecommunication’ and ‘telecommunication services’ in the Telecom Act, 2023 itself. 

2. Lack of transparency around interception matters

The draft Interception Rules do not require the interception order to specify the name and designation of the officer or authority to whom the intercepted messages will be disclosed. Instead, it requires the order to specify the authorised agency that will undertake/ conduct the interception. The draft Interception Rules must mandate that each interception order disclose the name and designation of the officer or authority to whom the intercepted messages will be disclosed. Such disclosure will contribute to increased transparency and accountability among the government. 

3. Diluted security standards 

While the Telegraph Rules, 1951 prescribe a higher threshold of “extreme secrecy” and “utmost care and precaution” while dealing with interception matters [Rule 419A(14)], Rule 4(4) of the draft Interception Rules, 2024 prescribes a lower threshold of only maintaining “confidentiality and secrecy” while failing to specify clear standards for safeguards. The draft Interception Rules must retain the high security threshold and privacy safeguard outlined in the Telegraph Rules, 1951 for dealing with interception matters. Further, any provisions pertaining to maintaining confidentiality in matters of interception must explicitly balance principles of transparency, state accountability, and the right to receive information, specifically information pertaining to the State’s surveillance efforts. 

4. Liability of service providers

The provision pertaining to the liability of service providers in case of violation of licence conditions around the maintenance of secrecy and confidentiality of information, which explicitly existed under the Telegraph Rules, 1951, has been removed from the draft Interception Rules. The latter also does not impose any penalty (a fine or suspension/ revocation of licence), marking a significant shift from the Telegraph Rules, 1951. The draft Interception Rules must provide clarification on the penal provisions and mechanisms for deterring non-compliance with the rules by telecom entities.

5. Lack of safeguards for maintenance and storage of intercepted data/records 

While the draft Interception Rules mandate the maintenance of secure records, no defined security threshold or standard has been outlined in the draft Rules, leaving the implementation of security measures ambiguous and potentially inadequate. The draft Interception Rules also do not specify any limitation on the duration for which records can be stored, effectively allowing records to be retained indefinitely without any legal or procedural constraints. The draft Interception Rules, 2024 must mandate strict security standards as well as adherence to internationally-recognised privacy principles such as purpose limitation and storage limitation for maintaining interception records. In addition to the competent authority, only security and law enforcement entities/ agencies must be allowed to destroy interception records. Further, the draft Interception Rules, 2024 must explicitly mandate the maintenance of statistical data about interception orders, particularly data about number of orders received by the government, orders approved and denied, issuing authority, grounds for issuing orders, number of orders renewed, and duration of orders.

6. Overbroad exemptions from application of Rules

The draft Interception Rules do not apply to the testing and demonstration of lawful interception systems and monitoring facilities [Rule 3(12)]. Thus the conduct of these activities and any violation of the Rules that may arise as a result of them will not be regulated under these Rules. In light of the overbroad exemption given to telecom entities and government authorities for purposes of “testing and demonstration” by way of Rule 3(12), in the absence of any meaningful safeguards, we recommend the Ministry to recall this provision from the draft Interception Rules to prevent potential misuse. 

7. Concerns with the functioning of the Review Committee

The Review Committee still lacks the necessary independence required to conduct an impartial review as the it includes members of similar rank within the same branch of government (the Executive) which is tasked with issuing the interception order. The draft Interception Rules must mandate a diverse composition of the Review Committee by including more non-official members such as retired Judges, members of the public, etc. and potentially even local MPs and MLAs. The draft Rules must also provide a mechanism for affected parties to present their case before the Review Committee. Judicial authorisation, whether ex-ante or ex-post, could serve as a less restrictive alternative to executive oversight, offering greater scrutiny. Moreover, the fourth prong of the proportionality test mandates the existence of sufficient safeguards to prevent abuse, including the establishment of an independent, impartial body to oversee interception orders and ensure that surveillance measures remain within reasonable bounds.

8. Failure of the DPDPA, 2023 to provide procedural safeguards

Existing safeguards under the draft Interception Rules, 2024 are largely ineffectual given that the Union government can exempt itself under Section 17(2) of the Digital Personal Data Protection Act [“DPDPA”], 2023 from the application of its provisions, further weakening safeguards related to interception. The sweeping legal exemptions to government instrumentalities could result in potential mass surveillance. In light of the overbroad exemptions provided to the Union government under the DPDPA, 2023, the draft Interception Rules must incorporate strict security measures and mandate adherence to internationally recognised privacy principles so that State surveillance measures are effectively curbed and do not infringe upon fundamental rights. 

Our submissions on the draft Suspension Rules

1. Publication of suspension orders

The draft Suspension Rules mandate that all suspension orders must be published [Rule 3(2)]. Rule 3(1) also states that the suspension order must be issued in writing. However, the draft Suspension Rules do not explicitly prescribe the mode and mechanism of publication of suspension orders. The draft Suspension Rules, 2024 must explicitly state the mode and mechanism of publication of suspension orders. The draft Rules must also mandate the establishment of a centralised database reflecting up-to-date information about internet shutdown orders, as was suggested by the Parliamentary Standing Committee on Communication and Information Technology [“IT”]  in its 2021 report on internet shutdowns. This database must include certain details about the shutdown including the duration, geographical extent, nature (whether complete shutdown, suspension of wireless internet or slowing down of data speeds), and the reason the shutdown was ordered.

2. Lack of provision for the publication of Review Committee orders

Unlike the publication of suspension orders, the draft Suspension Rules, 2024 do not explicitly require the publication of Review Committee orders. Access to Review Committee orders is crucial for affected parties to challenge suspension orders before the appropriate forum, ensuring transparency and accountability in the process. Thus, the draft Suspension Rules must mandate the publication of Review Committee orders and must also explicitly state the mode and mechanism of publication of these orders. 

3. Expanded powers of the Review Committee

The Review Committee under the draft Suspension Rules has been empowered to set aside suspension orders. This is a notable change from the 2017 Suspension Rules which does not include provisions for setting aside suspension orders and merely allows the Review Committee to “record” its findings. The case of Anuradha Bhasin v. Union of India [(2020) 3 SCC 637] also held that in addition to evaluating conformity to procedure (i.e. Section 5(2) of the Telegraph Act, which is equivalent to Section 20(2)(b) of the Telecom Act, 2023), the Review Committee must also evaluate if the suspension order is in consonance with the proportionality principles. The draft Suspension Rules must explicitly impose an obligation on the Review Committee to evaluate if the suspension was lawful, necessary, and proportionate (the Anuradha Bhasin judgement stated that internet suspension is a drastic measure and must be considered by the government only if “necessary and unavoidable” and after assessing the existence of less intrusive remedies). 

4. Concerns with the independence of the Review Committee 

The composition of the Union and State-level Review Committee continues to be the same as the 2017 Suspension Rules––it still lacks the necessary independence required to conduct an impartial review. The draft Suspension Rules, 2024 must incorporate suggestions made by the Standing Committee on Communication and IT in its 2021 report on internet shutdowns. These include ensuring a diverse composition of the Review Committee by including more non-official members such as retired Judges, members of the public, etc. and potentially even local MPs and MLAs. The Standing Committee also suggested that authentic data on the decisions taken by the Review Committee must be maintained. 

5. 15-day cap on the operation of suspension order

The draft Suspension Rules continue to maintain the cap on the duration of operation of a suspension order, with a slight modification that the suspension order must define a specific duration, not exceeding 15 calendar days. Notably, this provision pertains to the duration of an individual suspension order rather than the cumulative duration of an internet suspension. The draft Suspension Rules must reduce the 15-day limit and instead prescribe a reduced limit on the number of days for which an internet shutdown may be imposed cumulatively or through successive orders. The limit must be prescribed keeping in mind the current practice of imposing internet shutdowns through successive orders for, in effect, prolonged or indefinite periods. Further, regardless of the prescribed day limit, the draft Suspension Rules must introduce some oversight/ safeguards to ensure that the states do not impose disproportionate suspension orders, either by extending the effective duration by issuing successive orders or by imposing a blanket shutdown without assessing the least intrusive method.

6. 5-day timeline for Review Committee meeting 

The timeline for the convening of the Review Committee has been reduced from 5 working days under the 2017 Suspension Rules to 5 calendar days under the draft Suspension Rules. However, since most suspension orders are of shorter duration, typically around 1 to 3 days, the risk that the internet suspension order lapses before the order is forwarded to the Review Committee and the committee convenes still exists. The draft Suspension Rules must reconsider the 5-day timeline for the convening of the Review Committee. Further, additional safeguards, as mentioned previously in several instances, must be built into the language of the law to ensure that the review mechanism of the suspension order is transparent, independent, and effective.

Our submissions on the draft Cyber Security Rules

1. Overbroad and ambiguous definitions

The definition of ‘telecom cyber security’ lists the various telecom services, networks, and assets that may be safeguarded against cyber security risks. One of the listed services includes ‘applications’ which is undefined in the draft Cyber Security Rules and the Telecom Act, 2023. The term raises concerns about the potential inclusion of online communication services/ applications under the scope of the Rules. The ambiguous phrasing of ‘traffic data’ may be interpreted broadly to include the contents of messages in its definition. It is recommended that an explicit provision be added to the draft Cyber Security Rules clarifying that it is not applicable to online communication services and that the term ‘traffic data’ does not include the contents of messages in its definition.

2. Executive powers in the absence of safeguards

It is recommended that (i) the authority empowered to block telecom equipment with tampered IMEI number be specified and an appeal mechanism be introduced for those aggrieved by the same, (ii) the draft Cyber Security Rules remove the bypass introduced to circumvent procedural safeguards while issuing notice to those who endanger telecom cyber security in public interest, (iii) parliamentary/judicial oversight over the order passed by the Union government is introduced and (iv) the provision on creation a repository of persons and telecom identifiers against whom action has been taken under the draft Cyber Security Rules be removed.

3. Data collection, sharing, and analysis

The Cyber Security Rules allow the Union government (or any authorised agency) to collect traffic data as well as any other data from telecom entities [Rule 3(1)(a)]. Additionally, the Rules also empower the government to direct a telecom entity to establish necessary infrastructure and equipment for data collection, procession, and storage [Rule 3(1)(b)]. Such overbroad and vague provisions have been introduced in the absence of any safeguard and the provisions pertaining to the development of telecom infrastructure do not abide with the ‘privacy by design’ approach. Notably, Rule 3(3) imposes an obligation on the entities collecting data and receiving the collected data to put in place ‘adequate safeguards’. The Rules however fail to elaborate upon what level of safeguards will be considered ‘adequate’. We recommend incorporating data protection and privacy principles and specific levels of safeguards for data collection, sharing, and analysis undertaken by the Union government.

4. Compliance requirements for telecom entities

The draft Cyber Security Rules require telecom entities to “maintain logs of elements involved in telecommunication services, or  telecommunication network or any other element required for security of telecommunications service or telecommunications network” and to “maintain all records or logs specified herein” for a period that will be specified by the Union government. With respect to the timeline for maintaining records, the draft Cyber Security Rules do not comply with privacy-advancing storage limitation and data retention principles and further delegate delegated powers, which creates uncertainty for entities who will have to comply with such overbroad provisions. It also fails to specify different thresholds for different entities based on their type/size and capacity to undertake these compliance requirements. It is recommended that privacy-advancing storage limitation and data retention principles be specified in the context of the obligation on telecom entities to maintain logs/records. 

5. Potential threats to encrypted platforms

The draft Cyber Security Rules include provisions for identifying the person allegedly responsible for endangering telecom cyber security and issuing a notice to them. As previously mentioned, if the applicability of the Telecom Act, 2023 is expanded to “OTT” communication platforms, this provision may directly threaten online communication applications/ platforms which are end-to-end encrypted. The draft Cyber Security Rules must introduce safeguards to ensure that end-to-end-encrypted platforms are not threatened. 

6. Security incident reporting mechanisms

The draft Cyber Security Rules also require the telecom entity to report ‘any security incident’, along with relevant details specified under the Rules, to the Union Government within 6 hours. While the telecom entities will be required to investigate and assess the security incident, compliance with the uniform reporting timeline of 6 hours may be infeasible for a lot of entities and also in certain cases of security incidents. Rule 7(2) of the Cyber Security Rules includes a provision pertaining to informing the public at large about a security incident, however, such disclosure is contingent on whether the Union government believes it to be in ‘public interest’. If the government determines that the disclosure is not in ‘public interest’, the government may choose to not inform the public, including the affected users, about the security incident. It is recommended that (i) the timeline for reporting security incidents be increased to seventy-two (72) hours and (ii) the Union government be obligated to inform the public and affected users about all security incidents. 

Our submissions on the draft CTI Rules

1. Need for a cross-sectoral approach to critical infrastructure

The draft CTI Rules have created a category of Critical Telecom Infrastructure [“CTI”] which has been regulated through a set of specified obligations and targeted compliance requirements. While it is recognised that telecom is a critical sector that warrants protection from external threats, it is also important to learn from other jurisdictions and adopt a cross-sectoral approach to critical infrastructure protection. It is recommended that the draft CTI Rules be incorporated into a larger effort to regulate all critical infrastructure in the country. This would include creating an exhaustive list identifying all the critical infrastructure sectors in the country. An inter-ministerial cooperative effort could be undertaken to regulate all the identified critical sectors. Sector-specific laws such as the draft CTI Rules could then be integrated within this broader framework. 

2. Vague parameters for the designation of critical telecom infrastructure

Rule 3(1) of the draft CTI Rules states that the designation of the CTI would be based on whether the destruction of the telecom network would have an impact on the national security, economy, public health or safety of the nation. However, the assessment of ‘impact on national security, economy, public health or safety of the nation’ is overbroad, ambiguous, and could potentially be arbitrary. Due to the vagueness of the parameters of identification of CTI, the potential for misuse of CTI designation to subject telecom entities to a higher threshold of compliance and scrutiny is a concerning prospect. It is recommended that there be clearly defined parameters and a pre-decided assessment process for designating a telecom entity as a CTI. A framework of precise thresholds and cut-offs based on turnover, number of users, area of coverage, etc. could prove to be more transparent and less arbitrary than the current parameters of national security, economy, public health, and safety. 

3. Rehashing of existing security requirements

Rule 4(1) of the draft CTI Rules requires CTI to be in compliance with security, testing, and conformity requirements as issued by relevant Union Government authorities such as the Telecommunication Engineering Centre [“TEC”] and National Centre for Communication Security [“NCCS”]. However, these requirements are pre-existing under the Indian Telegraph Rules, 1951. It is recommended that the mandatory testing and certification requirements under the Indian Telegraph Rules, 1951 not be replicated in the present rules as telecom entities are already required to comply with the same. Clarity is required on the reason for the duplication of security, testing, and conformity requirements. Further, as the draft CTI Rules do not prescribe any penalties as opposed to the Indian Telegraph Rules, 1951, clarity is required on the mechanisms to ensure compliance by telecom entities. 

4. Excessive powers of access and inspection

Rule 5 of the draft CTI Rules allows the Union Government to authorise its personnel through an order to access and inspect hardware, software, and data pertaining to CTI of telecom entities. However, this power of the Union Government to access the CTI of telecom entities remains largely unfettered and is not backed by principles of due process. By a mere order, the Union Government gains virtually full access to the assets of telecom entities. There is no provision for a prior intimation or notice to the telecom entities before their facilities are accessed by the Union Government. Such broad and overarching inspection powers have a significant potential to be misused by the Government authorities. It is recommended that Rule 5 of the draft CTI Rules be modified to include (i) a requirement for prior intimation to the telecom entities at least two (2) weeks in advance and (ii) a definition of the term ‘personnel’ specifying the officer/authority that would be inspecting the CTI of telecom entities.

5. Lack of data protection safeguards

Rule 5 of the draft CTI Rules allows the Union Government to access data pertaining to CTI of telecom entities. This could include access to user data, which could amount to a violation of the right to privacy of individuals who have consented to share their data only with specific telecom entities. This access to data has been allowed in the absence of any data protection safeguards, without any checks and balances, and in complete disregard of the ‘privacy by design’ approach. It is recommended that there be a bar on access by the Union government to the user data maintained by telecom entities. Further, the access to the data maintained by the telecom entities granted to the Union government ought to be accompanied by data protection safeguards such as storage limitation, purpose limitation, data retention, etc. 

6. Overregulation and high compliance costs 

The draft CTI Rules impose several compliance requirements on telecom entities that seem both infeasible and inefficient at the same time. For instance, Rule 7(1)(l) requires telecom entities to report security incidents to the Union government within two (2) hours of occurrence. Two hours is an unrealistic time bar for reporting security incidents. Instead of a thrust on quick reporting, the focus ought to be on allowing for a response time to the telecommunication entity and realistic timelines for accurate reporting. Another instance of unrealistic and excessive compliance under the draft CTI Rules is Rule 8, which requires telecom entities to seek prior permission from the Union government to conduct upgradation activities on their CTI. A requirement for prior permission for upgrading CTI would result in significant compliance costs and inefficiencies for telecom entities. Instead of fast-tracking upgrade procedures, the telecom entities would now be forced to wait for permission to carry out upgrade activities, even if they are routine in nature. It is recommended that (i) the timeline for reporting security incidents be increased to seventy-two (72) hours, (ii) the requirement for prior permission for upgrades be removed and replaced with an ex-post reporting framework and (iii) carve-outs be created to reduce the compliance burden on MSMEs and newer telecom entities.