India’s telecommunications regulator has rolled out rules designed to protect the country’s critical infrastructure networks from cyberthreats, but experts warn that the new guidelines have inadequate safeguards for users' fundamental privacy rights.

The regulations, published last week by India’s Department of Telecommunications (DoT), require telecom entities to report cybersecurity incidents within six hours, share user traffic data with cybersecurity authorities and adopt a cybersecurity policy that includes risk management approaches, training, network testing and risk assessment.

Introduced under the landmark Telecom Act, which passed in 2023, the measures represent a significant regulatory step for the industry. Although the final rules incorporate some changes prompted by public consultations, experts say they still need more guardrails for government access to data. 

Impact on user privacy

The obligation to provide user data to state authorities raises significant concerns among privacy advocates.

Contrary to the draft version of the rules, which could have allowed authorities to collect the content of people’s messages, the adapted version mainly permits the collection of user metadata. However, this metadata is still considered "extremely sensitive", according to Namrata Maheshwari, senior policy counsel at the digital rights organization Access Now.

“The law lacks clear restrictions on the government’s authority to collect such data, share it with other agencies, or store it without independent oversight,” Maheshwari told Recorded Future News.

India’s telecom rules specify that the collected data “should not be used for any purpose other than for ensuring telecom cybersecurity.” However, according to experts at India’s Internet Freedom Foundation (IFF), the phrasing of the legislation could lead to the government misusing its data collection and sharing powers.

Empowering the government to collect any data — whether or not it relates to a cybersecurity incident — gives the unchecked surveillance powers to the state,” Maheshwari said.

The government can also suspend a person's access to telecom services if they are found to be in breach of the vaguely defined obligations under these rules. 

“This is a severe deprivation, impinging on fundamental rights, and must have legislative safeguards to prevent the misuse of the law,” she added.

Impact on telecom industry

According to a statement from the IFF, the Indian telecom industry may find it "cumbersome" to comply with the new regulations.

If a telecom entity reports a cybersecurity incident within the initial six-hour window under the new rule, it still faces another immediate deadline: Within 24 hours, the organization must submit all other relevant information, along with a more detailed description of the incident.

The IFF argues that this reporting requirement is “unrealistic and unfeasible.” The 24-hour deadline, they say, does not align with global best practices. For example, in the U.S., as well as under the European Union’s General Data Protection Regulation (GDPR), the reporting time for critical infrastructure incidents and personal data breaches is set at 72 hours.

The IFF warns that the timelines set by the Indian rules are likely to lead to a decrease in the quality of incident reporting.

Indian legal experts also stated that the rules are likely to increase compliance costs for telecom companies, which could make mobile services more expensive for users. Several local telecom operators confirmed to the Indian business newspaper Economic Times that the expenses they incur while trying to adhere to the rules may be passed on to consumers.

Local telecom giants, including Airtel, Vodafone, and Reliance Jio, have not publicly commented on the new rules.

‘Hurriedly passed’

The Telecom Act replaced colonial-era laws with the intent to modernize India’s sector and encourage innovation. Maheshwari called the law “a missed opportunity.”

“It was hurriedly passed through the Indian Parliament, avoiding much-needed debate and deliberation,” she added.

The cybersecurity rules, as well as other rules under the Telecom Act, should be presented before legislators and scrutinized to ensure they provide adequate safeguards for people’s rights, Maheshwari argued.

India’s government has frequently restricted citizens’ digital freedoms by blocking social media platforms or cutting access to the internet during major political and social events.

According to Access Now, India has led the world in internet shutdowns for the sixth consecutive year. The local government continues to block online content at an increasing rate, and Indian internet users risk arrest for posts critical of the government, according to a report by the U.S. nonprofit Freedom House.