The Privacy Disconnect : Regulatory Challenges in India's Telecom Sector

Written by Diya Sher, the author is a law student currently pursuing BA.LLB.(hons) from Symbiosis Law School Pune.

Introduction

Now servicing more than 1.17 billion cellular users, India's telecommunications industry is a key pillar of national economic development and public connection .  Driven by government programs like Digital India and fast 5G rollouts, TSPs (Telecom Service Providers) have increased data services into urban and rural areas equally.  But this spread has significantly widened the attack surface for cyber-threat actors from state-sponsored hackers to organised criminal syndicates. Ensuring data privacy and network security has become both a regulatory need and a business differentiation as TSPs manage large amounts of call-detail records, location data, and personally identifiable information (PII).  This study looks at: (i) statutory and license-based requirements placed on Indian telecom service providers (TSPs); (ii) the actual consequences of data breaches on stakeholders; and (iii) changing regulatory reactions and the related difficulties they bring about.

Legal Obligations of Indian Telecom Service Providers 

The Indian law places TSPs under several obligations about data collecting, processing, and breach control : 

Digital Personal Data Protection Act, 2023: (a) Defines "personal data"  broadly to include any information that can identify an individual, including data such as financial and health information. (b) Before large-scale processing of personal data, the law requires data-protection impact assessments (DPIAs) and breach notification to the Data Protection Board and affected individuals within 72 hours of discovery. 

Information Technology Act, 2000, §43A:

Subjects any "body corporate"  processing sensitive personal data to liability for compensation if reasonable security practices are not followed and a breach causes harm. 

SPD (Sensitive Personal Data and Information) Rules, 2011:

Require TSPs to implement "reasonable security practices" in line with criteria including ISO/IEC 27001 and to designate a grievance officer for data-subject complaints.

Directives Based on License : TSPs have to keep "state-of-the-art" cybersecurity infrastructure, hold yearly third-party audits, and notify CERT-In and the Department of Telecommunications of security events under the DoT Unified License Agreement within set timeframes. Non-compliance can lead to license suspension, show-cause notifications, or cancellation.

Legal Obligations of Indian Telecom Service Providers 

Reflecting both the sophistication of threat actors and the growing attack surface produced by digital transformation, India's telecom sector has seen a sharp rise in data-security incidents. CERT-In logged more than 5.5 million cybersecurity events between 2020 and 2023, up from 1.16 million in 2020 to almost 1.60 million in 2023

Every event could reveal PII subscriber identities, call-detail records, device identifiers—jeopardizing personal privacy and undermining confidence in TSPs.

These dangers are vividly shown by real world case studies. Allegedly exposing 750 million subscriber records, the CloudSEK breach in January 2024 set off industry concern and parliamentary enquiries.Though Airtel rejected a July 2024 leak impacting 375 million users, the publicity and regulatory investigations by themselves highlighted the vulnerability of consumer confidence. In May 2021, Air India compromise led to exfiltration of 4.5 million passenger records which triggered CERT-In orders on multi-factor authentication and improved encryption which is a  lesson directly applicable to TSPs .

Data breaches create significant financial consequences beyond reputational harm: The average cost per breach in India in 2023 was $2.18 million a 28% increase since 2020 largely owing to incident response, regulatory penalties under §43A, and subscriber-compensation programs. Consumer polls show that more than 65% of breach-affected users are thinking about changing providers, which increases long-term income risk for non-compliant TSPs. 

Table 1: Key Telecom-Sector Data Breach Case Studies

Regulatory Responses and Obstacles

India's regulatory framework for data security in the telecom sector has been developed as a response to high profile breaches. Exercising authority under § 70B(6) of the IT Act, CERT-In published a binding six-hour reporting rule mandating TSPs to report incidents within six hours of detection and keep thorough logs for 180 days . The Department of Telecommunications (DoT) has also changed the Unified License Agreement—most recently in 2022—to strengthen audit requirements and impose financial penalties of up to ₹10 lakh per day for late incident disclosures . Though their effectiveness relies on strict enforcement, these policies seek to hasten incident awareness and force infrastructure audits. Along with these requirements, the Telecom Regulatory Authority of India (TRAI) has released several consultation papers, including Consultation Paper No. 5/2023, which suggests "Privacy by Design" certifications for TSPs and public transparency reports on security postures, incident trends, and remedial actions . If adopted, these proposals would introduce continuous disclosure obligations and enhance consumer visibility into TSPs’ cybersecurity practices bringing domestic standards closer to global benchmarks like the European GDPR. That said, significant challenges remain.

First, the regulatory ecosystem is fragmented: TSPs must reconcile different definitions of "personal data" and breach thresholds, as overlapping obligations under the DPDP Act, IT Act, and license conditions create compliance confusion and administrative duplication.

Second, enforcement ability lags behind need: Given the increasing number of incidents, CERT-In's personnel and technical resources are stretched thin, postponing forensic analysis, advisory issuance, and follow-up audits. At last, Judicial Uncertainty: Indian courts are yet to issue binding precedents under § 43A in a telecom setting defining the scope of "sensitive personal data" or to read the DPDP Act's extraterritorial reach, thereby leaving important compliance criteria unanswered.

Critical Analysis 

Though the DPDP Act, IT Act, and license conditions together create a thorough statutory framework, India's telecom data-security governance is more reactive than strategic. The delayed operationalization of the Data Protection Board compromises the DPDP Act's deterrent potential since breach adjudication and punitive orders remain pending. At the same time, CERT-In's six-hour reporting requirement shows regulatory will; enforcement is inconsistent, with just a few show-cause notices issued to major TSPs. Technological dynamics highlight these governance deficiencies even more. Technological dynamics highlight these governance shortcomings. The fast rollout of 5G networks has created an estimated 12,500 new attack vectors, including IoT-based infiltration and network-slicing exploits surpassing internal audit cycles. Older networks, maintained in parallel for backward compatibility, serve as fallback targets for attackers. Without a security-by-design mandate, TSPs frequently give feature rollout top priority over iterative security strengthening.

Comparative analysis shows that countries like the EU through the GDPR require specific Data Protection Officers and can impose fines of up to €20 million or 4% of worldwide turnover for breach mishandling. By contrast, India's maximum ₹500 crore fine under the DPDP Act, while noteworthy, stays mostly theoretical until the Data Protection Board starts vigorous enforcement.

Ambiguities in statutory definitions such as "sensitive personal data" under §43A or the DPDP Act's extraterritorial reach have encouraged different compliance postures. To obtain binding judicial interpretations, stakeholders including consumer-rights groups and industry associations should start focused Public Interest Litigations in High Courts. Hearing schedules for telecom-privacy cases that are expedited will produce precedents clarifying liability thresholds, breach-notification criteria, and compensation formulas. Clear court rules will enable authorities to apply consistently and companies to adjust their compliance systems with legal certainty.  

Conclusion and Recommendations  

The foregoing analysis shows that, despite a strong legal framework under the DPDP Act, IT Act, and license conditions, India's telecom sector still struggles with systematic weaknesses, fragmented enforcement, and regulatory lag. The increase in incidents reported to CERT-In—now over 1.6 million yearly—underscores the need of moving beyond ad hoc directives towards a unified, forward-looking approach that embeds data security at all levels of telecom infrastructure. The following recommendations are meant to handle institutional, technical, financial, and judicial aspects of this issue.  

Put the Data Protection Board into operation :

Efficient enforcement of the DPDP Act depends on a completely operational Data Protection Board (DPB). So far, delays in appointing Board members have hampered breach adjudication, so confusing TSPs about penalty thresholds and deadlines. The immediate constitution of the DPB—with well defined panels for telecom-specific cases—will offer a dedicated forum for rapid issuance of show-cause notices, interim relief, and binding orders. Institutional clarity will not only discourage carelessness but also promote a culture of compliance since providers know that adjudication will continue without excessive delay. 

Include "Security by Design" in License Conditions  :

Present license terms mostly view security as a checklist item instead of a fundamental design idea. Changes should call for TSPs to carry out official internal and third-party security audits before each major network deployment or upgrade, including 5G rollouts and IoT integrations. Audit certificates showing network-slice isolation, access control, and intrusion-detection systems meet or exceed stated criteria will determine license renewals and spectrum allocations. Including "security by design" will change the paradigm from reactive patching to proactive risk mitigation, so greatly lowering the attack surface.  

Strengthen Key Management and Encryption Standards  :

Though AES-256 encryption  is generally considered best-in-class, its use throughout India's telecom stack stays inconsistent. All sensitive customer data both in transit and at rest should be encrypted using AES-256 (or equivalent), and regulators should call for periodic key rotation under supervised key-management systems. These criteria must be applied to network-element logs, backup repositories, and CDR archive systems. Under the DPB's supervision, certifying organizations may hold yearly encryption-compliance evaluations to guarantee that cryptographic protections stay consistent against changing decryption methods.  

Set Aside Cybersecurity Funds  : 

Without sufficient resources, technology by itself cannot ensure security. TSPs should be required to set aside at least 2% of annual revenue for cybersecurity activities including infrastructure modernization, threat intelligence subscriptions, red-team exercises, and staff training. Subject to audit by internal compliance teams and regulator-appointed assessors, this allocation should be shown as a distinct line item in financial statements. A ringfenced budget will guarantee continuous investment in tools and talent and will stop cost-cutting cycles from deprioritizing cybersecurity.  

The Execution Plan :   

These steps taken together will change India's telecom security system from a reactive, fragmented one to a strong, unified one. While improved encryption and committed budgets support technical strength, the DPB and license-based "security by design" mandate's quick operationalization addresses institutional gaps. Judicial clarity will finish the cycle by establishing clear criteria. Adopting this multi-pronged strategy will help India's telecom industry to negotiate the complexity of digital transformation, protect subscriber privacy, and conform with world best practices—thereby ensuring its role as a reliable enabler of the digital future of the country.