India’s new cybersecurity rules are likely to push up compliance costs of telcos, making mobile services potentially costlier, and also have far-reaching implications on the privacy of mobile users amid ambiguity around the nature of consumer data that can be sought by the Centre, senior telecom executives and legal experts said.
They added that the new rules could also throw up implementation challenges as the mandated six-hour timeline to report cybersecurity incidents to the government is a fraction of the time allowed under comparable laws in the US and the European Union (EU).
Leading corporate lawyers, who work closely with India’s top telcos, have flagged concerns around the privacy of consumers of mobile services, saying the notified cybersecurity rules—which empower the government to demand traffic data from telcos—have neither defined ‘traffic data’ nor specified any limitation on the duration for which such data can be stored. This ambiguity in the new rules, they warned, potentially allows private consumer data to be retained indefinitely without any legal or procedural constraints.
Legal experts added that the new regulations, which require a telco to report a cybersecurity incident within six hours to the Centre, are too ambitious, arbitrary and not in sync with global best practices, and accordingly, would face severe implementation challenges.
They have pointed out that even in the US, the Cyber Incident Reporting for Critical Infrastructure Act prescribes a 72-hour timeframe to report cyber incidents. Likewise, Article 33 of the General Data Protection Regulation—applicable in the EU—too allows a 72-hour span to notify personal data breaches.
Last week, the Department of Telecommunications (DoT) notified India’s new cybersecurity rules. As per the notification, telecom entities have to appoint a chief telecommunications security officer, and report security incidents within six hours to the Centre along with relevant details of the affected system, including the description of such incident.
“Omission of the definition of ‘traffic data’ in the notified rules adds to the ambiguity as to what data can be sought by the central government,” Sanjeev Kumar, partner Luthra and Luthra Law Offices India, told ET.
He added that while the rules impose obligations on the telecoms entity to collect and store data, they do not specify any limitation on the duration for which such collected data can be stored, either by the telecom entity or by the entities/users with whom it has been shared.
“This, effectively allows data to be retained indefinitely without any legal or procedural constraints, raising grave privacy concerns. I am of the view that certain aspects of the rules need to be reworked to ensure that constitutional rights of citizens and the telecom cybersecurity concerns are balanced,” Kumar, who works closely with India’s top telcos, added.
Senior telco executives, in turn, said the new mandated cybersecurity compliance drill would definitely be adhered to but would increase compliance costs. “We are yet to make a potential cost escalation assessment, but if compliance liabilities move up significantly, they would logically get passed on to consumers by way of a tariff hike at some point,” a top executive of a Big 3 telco told ET.
At press time, ET’s queries to Bharti Airtel, Reliance Jio and Vodafone Idea (Vi) went unanswered. Queries to the Cellular Operators Association of India (COAI), which represents the country’s top telcos, also did not elicit a response at press time.
Industry experts, though, said the degree of cost escalation due to heightened cybersecurity compliance needs would hinge on a telco’s size and its existing compliance infrastructure and processes. Going forward, mobile carriers may have to increasingly rely on automation and Gen AI tools, which dispense with manual checks and interventions and fully automate compliance processes, to cut extra costs triggered by the new rules, they added.
“Telecom companies may need to rethink and restructure the way cybersecurity processes and relevant organisations within a telco are set up right now. They may also have to partner more aggressively with third-party consultancy companies to elicit support around cybersecurity compliance issues, especially since these third-party companies have the processes, tools and regulatory know-how to support these upcoming telco needs,” Vinish Bawa, partner and telecom leader at PwC India, said.
Shreya Suri, partner, IndusLaw, said DoT’s decision to notify new cybersecurity rules for the telecom sector is aimed at bringing in a higher degree of compliance to a sector that is recognised as a sensitive one, and which holds sensitive information.
“This is basically the telecom authority trying to portray that there is someone else apart from CERT-In (Indian Computer Emergency Response Team) that is also looking at the sector, and that if there is any non-compliance, the sectoral authority (read: DoT) would also get involved.”
Legal experts, though, are at odds with the new cybersecurity rules that make telcos responsible for any abuse of telecom resources by mobile users. “Rule 4 of the cybersecurity regulations imposes obligations on the ‘telecom entity’ relating to telecom cybersecurity. This compliance is too onerous and possibly under no circumstances will a telecom entity be able to monitor and prevent misuse of telecom resources by a consumer,” said Kumar of Luthra and Luthra Law Offices India.