New Delhi: Telecom executives and legal experts have raised concerns that the new cybersecurity rules give New Delhi sweeping access to potentially privacy-breaching consumer data while increasing compliance burden for service providers, which could now be held liable for the misuse of telecom resources by their subscribers. The Department of Telecommunications (DoT), which is due to publish the rules soon after having sought views from multiple stakeholders end-August, might also build a regulatory framework that overlaps with the Ministry of Electronics and IT ( MeitY 's) existing cybersecurity regulations, creating room for multiple interpretations and potential complications. Advt Hence, telecom operators have approached the DoT regarding some problematic areas, including the scope of the rules and stringent conditions that essentially increase their compliance liabilities.
"The rules make telcos responsible for any misuse of telecom resources by consumers. If some user commits a crime, why should the company be penalised?" asked a senior telco executive, requesting not to be named. Officials in the DoT told ET that the final rules will be published soon, and that the guidelines will become effective on publication.
Licence conditions require telcos to follow the IT Act for cybersecurity related compliances. Checks and balances It is not yet known if the conditions will be changed once the DoT notifies its own cybersecurity rules under the Telecommunications Act 2023. As per the draft rules, the government can seek traffic data from telecom firms for the purpose of protecting and ensuring telecom cybersecurity.
The rules define traffic data as any data generated, transmitted, received or stored in telecommunication networks, including data relating to the type, routing, duration or time of a communication. Experts say there is ambiguity in defining under what circumstances data can be sought for protecting and ensuring cybersecurity. For instance, the draft rules define a security incident very broadly as an event having an actual or potential adverse effect.
Advt "Such powers are being seen as a means to gain arbitrary access to personal data in contravention of the DPDP Act and the reasonable restriction principles set out in the Indian Constitution," said Shreya Suri, partner, IndusLaw. Suri added there are already other laws in place for allowing the government access to telecom data in certain exceptional circumstances. These include issues pertaining to national security, and such provisions with reasonable checks and balances that do not contravene existing laws and constitutional provisions are better-suited there.
Safeguard ambiguity "Further, the draft rules also do not elaborate on what level of adequate safeguards ought to be kept in place by the Centre while collecting such data," Suri said. While the government has recently notified the allocation of business rules for different ministries and security of telecom networks has been entrusted to DoT, matters related to cybersecurity have been assigned to MeitY. DoT officials, however, say this allocation will ensure no duplication.
But Vinish Bawa, partner and leader telecom at PwC, said that effective coordination between DoT and MeitY will be crucial to avoid duplication of efforts and ensure a streamlined regulatory framework. "Clear delineation of responsibilities and regular communication between the two ministries can help mitigate potential issues," Bawa said. He added the rules mark a significant shift in the regulatory landscape by bringing telecom equipment, network and services cybersecurity under the purview of the DoT rather than the MeitY, which has traditionally handled cybersecurity matters.
Shashank Mishra, partner, Shardul Amarchand Mangaldas & Co, said DoT's draft rules borrow concepts from the existing rules on traffic data monitoring and cybersecurity incident reporting under IT Act, which are applicable to telecom companies as well. "Added to this, existing licence conditions mandate telecom companies create facilities to monitor intrusions, attacks or frauds on their systems and inform the DoT," Mishra said. "This leads to multiplicity of regulations for the same issue, and considering tight timelines for compliance, greater regulatory certainty is warranted.
" The DoT had published the draft cybersecurity rules on August 28 and stakeholders were given 30 days to submit their comments. To be sure, the stakeholder comments on the proposed regulations have not been made public. By Kiran Rathee , ET Bureau Published On Nov 15, 2024 at 07:31 AM IST Telegram Facebook Copy Link Be the first one to comment.
Comment Now COMMENTS Comment Now Read Comment (1) All Comments By commenting, you agree to the Prohibited Content Policy Post By commenting, you agree to the Prohibited Content Policy Post Find this Comment Offensive? Choose your reason below and click on the submit button. This will alert our moderators to take actions REASONS FOR REPORTING Foul Language Defamatory Inciting hatred against a certain community Out of Context / Spam Others Report Join the community of 2M+ industry professionals Subscribe to our newsletter to get latest insights & analysis. Download ETTelecom App Get Realtime updates Save your favourite articles Scan to download App Bharti Airtel Department of Telecommunications telecom data privacy telecom data access rules regulatory framework for telecom cybersecurity MeitY Reliance Jio Vodafone Idea Ministry of Electronics and IT.
Technology
Telcos, experts flag draft rules on cybersecurity as fears of overlap with MeitY guidelines loom
As per the draft rules, the government can seek traffic data from telecom firms for the purpose of protecting and ensuring telecom cybersecurity. The rules define traffic data as any data generated, transmitted, received or stored in telecommunication networks, including data relating to the type, routing, duration or time of a communication.