top of page

Navigating Compliance Under the DPDP Act in the Telecom Sector

The Telecom sector is a crucial part of the global economy, connecting billions of people worldwide. It gathers, processes, and stores large volumes of personal data, including call logs, messages, and location information. With the growth of digital communication, concerns over data privacy have increased. This data can identify individuals, track their movements, and monitor their communications, making it a target for cybercriminals. Protecting data privacy in the telecom sector is essential to ensure the confidentiality of the personal information of the customers. The fact that Indian telecom industry is the second largest in the world with one of the highest consumers of data every day, the magnitude of data breach and leak is equally enormous having the potential to cause huge financial and reputational loss to the mega organizations and individuals. The implementation of the 2023 Act prioritizes user privacy and protects their personal data. While we await the robust and comprehensive rules, let’s navigate through key aspects related to telecom sector and the critically acclaimed game-changer Act of 2023:


Reconceived Consent Architecture: Telecom operators must obtain explicit user consent, avoiding pre-ticked boxes in the consent artefacts, to allow customers to select the specific data they wish to share and the purposes for which it is shared, as recommended by the Telecom Regulatory Authority of India’s (TRAI) 2018 Recommendations. Once collected, data such as call-detail records and customer details should be anonymized and stored in hashed form to ensure anonymization. A digital platform with access privileges restricted to designated personnel only should be utilized to record user consent for commercial communications and unsolicited messages, in accordance with the Telecom Commercial Communication Customer Preference Regulation, 2018. This digital platform should be interoperable with the National Consumer Preference Register, enabling consumers to manage their consent for receiving commercial communications. Furthermore, a dedicated consent management section should be provided, featuring clear instructions and easily accessible options for users to withdraw their consent at any time. Furthermore, to regulate the issue of unsolicited calls and bulk messages often interfering with individual’s privacy and peace and to further ensure transparency in the process of obtaining consent, the operators have been entrusted with the task of strict adherence with Section 6 of the 2023 Act wherein the mechanism of obtaining consent from users have been emphasized upon.


Compliant Cross Border Data Transfer: To ensure the integrity of financial data and personally identifiable information during cross-border transfers, telecom operators must employ Data Loss Prevention technologies which enable them to select compliance-oriented profiles tailored to the laws and standards of different jurisdictions. Where a transfer impact assessment identifies significant risks associated with data sharing to a data processor in a different jurisdiction, telecom operators should implement Format Preserving Encryption technologies to ensure that the Cipher-text retains the same format as the plaintext, thereby maintaining data integrity and compliance.


Data Fiduciaries and Significant Data Fiduciaries (“SDF”): Due to the necessity of telecommunications in the modern age, where individuals are connected globally, telecom companies and institutions have to process the bulk data, making it the prerogative of data fiduciaries in the telecom sector to implement data protection policies while adhering to a higher standard of data protection as compared to the other sectors and industries. The need to comprehensively detail the type of data to be processed and ensure greater transparency at the time of obtaining the consent of users and data principals is an additional adherence imposed upon the sector. Telecom companies identified by the Central Government as Significant Data Fiduciaries are required to meet enhanced compliance obligations under the DPDP Act, 2023. These obligations include the mandatory appointment of a Data Protection Officer (DPO), responsible for overseeing data protection policies and practices, as well as an independent data auditor to ensure compliance with the Act’s provisions. Additionally, these entities must conduct regular Data Protection Impact Assessments (DPIAs) to evaluate and mitigate risks related to personal data processing. Periodic audits are also required to ensure ongoing compliance with data protection standards, along with any other regulatory requirements that may be specified by the Central Government. For Data Fiduciaries that do not fall under the Significant Data Fiduciary category, the Act does not mandate the appointment of a DPO. However, Section 8(9) of the Act stipulates that these companies must provide the business contact details of a designated representative who can address queries from Data Principals (individuals whose data is being processed) regarding the handling and processing of their personal data. This ensures that even non-significant data fiduciaries maintain a level of accountability and transparency in their data management practices.


Grievance Redressal: A well-structured grievance redressal mechanism is the need of the hour for this particular sector, especially in light of how easily the personal data is shared between organizations, and such seemingly unregulated and even arbitrary sharing of personal data is what leads to the daily spam calls which a person receives, which in turn acts as a massive impediment to the quality of services provided by the telecom sector. With the enactment of the DPDP Act, and the rules made under the provision of the said Act, telecom service providers must ensure that they maintain and implement a grievance redressal mechanism which is much more accessible while also ensuring that the grievances of data principals, which will be very high in volume, are properly addressed and sufficient relief be given to such aggrieved data principals. The DPDP Act, 2023 requires telecom companies to implement strong data security measures to prevent unauthorized access or misuse of personal data. In case of a breach, they must notify both the Data Protection Board of India and affected users, following guidelines that will be outlined in upcoming Rules.


Conclusion

The telecom sector undeniably manages the highest volume of data due to its crucial role in contemporary life, where nearly every individual relies on its services. Unfortunately, a widespread issue many people encounter daily is the alarming prevalence of spam and fraudulent calls, which highlights a serious breach of privacy. This invasion is often dismissed as a common occurrence, which is deeply troubling. Such blatant violations of personal privacy and data security have been regulated and addressed through the implementation of the 2023 Act. While the DPDP Act and its accompanying Rules are designed to address these pressing concerns, it is vital for telecom companies to acknowledge the gravity of the situation rather than treating it as a trivial matter. Major players in the telecom industry must prioritize stringent data protection practices to combat these issues and enhance the current landscape, regardless of whether the Act or Rules specifically address them.


Companies must gear up for compliance with the DPDP Act, particularly given the substantial penalties that can reach up to ₹250 crores. However, the Act also opens up avenues for growth. By emphasizing user privacy, telecom companies can cultivate trust and foster loyalty among their customers. Implementing strong data governance frameworks can significantly benefit these organizations, enhancing their operational resilience. The telecom sector's success in this evolving landscape hinges on its ability to adapt, innovate, and engage with various stakeholders. Building a robust, privacy-conscious ecosystem will not only ensure compliance but also position these companies as leaders in protecting consumer data, ultimately driving their long-term success in a competitive market. Embracing these challenges as opportunities will allow telecom firms to thrive while prioritizing the privacy and security of their users.


The above article is authored by Pranshu Singh (Senior Associate Designate), Upamanyu Ganguly (Associate) and Raghav Sachdev (Associate).

Comments


SUBSCRIBE TO OUR NEWSLETTER

Get updates on the latest publications, judgements, policy updates, webinars, reports and much more.

Thank you for subscribing!

bottom of page