How India's new draft telecom law may impact data privacy?

India moved to overhaul its ageing telecommunications laws in late September 2022, by releasing a new draft Telecommunications Bill, 2022 (“Telecom Bill”). This Bill would repeal and replace laws that are decades, and in some cases centuries, old - the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950.


The Telecom Bill proposes quite a few momentous changes to India’s telecom regulatory regime. For example, it proposes to regulate OTT communication platforms on the same footing as ‘traditional’ telecom services, as a result of which players such as WhatsApp or Zoom may find themselves facing stringent licensing norms in India. The Telecom Bill also proposes (once again) to regulate spam calls and messages, which have so far defied all attempts at curtailment.


But perhaps the most consequential impact of the Telecom Bill would be to further enhance the Indian Government’s surveillance powers in telecommunications matters. This is important, in that past jurisprudence on phone tapping has always informed India’s data privacy regime, and has found echo even in protections afforded to computer data under Indian IT regulations. If the Telecom Bill replaces the Telegraph Act, there may be a ‘reset’ on restrictions on the Indian Government’s power to access telecom calls and data, and also data stored on computer systems in India or aboard.


The origins of Indian surveillance regulations

As this author has argued before , the grundnorm source law on electronic surveillance in India is Section 5(2) of the Indian Telegraph Act, 1885. When read with the terms of the Indian Telegraph Rules, 1951, this allows interception and disclosure of telecom messages only “on the occurrence of any public emergency or in the interest of public safety”.


Section 5(2) of the Telegraph Act was formulated in 1972 to facilitate surveillance by way of telephone tapping. In 1996, limitations on the Indian Government’s ability to tap phones was placed by the Supreme Court’s ruling in People’s Union for Civil Liberties v. Union of India (“PUCL Case”). The Indian Supreme Court in the PUCL Case issued nine (9) rules and directions on telephone taping, including a sunset on any interception orders, and an internal review committee to oversee such orders. Following this case, a new Rule 419A was added to the Telegraph Rules, enshrining these limitations into law.


Why this case has resonance beyond the telecom space, is that the same legal reasoning (and text) was adapted for surveilling computer records in later laws that governed computer systems. In 2000, Section 69 of the Information Technology Act was drafted to mirror Section 5(2) of the Telegraph Act. And like Rule 419A, the Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 allow data access with the same restrictions.


As such, Indian telecom and data surveillance laws, in their present form, are rooted in a judgement of the Supreme Court that places limits on the Government’s phone surveillance and access powers. Indian courts have continued to apply such limitations to the state’s surveillance powers when it comes to telephone tapping, access orders, etc.


But if the basic grundnorm of the Telegraph Act is changed, how much of this protection remains?


Surveillance under the draft Telecom Bill


Section 24 of the Telecom Bill addresses interception of telecom calls and messages, akin to the erstwhile Section 5(2). Upon the occurrence of any public emergency or in the interest of the public safety, the duly designated officer of the Government may, if satisfied that it is necessary in the interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence, order interception of messages, from or to any class of persons.


So far, so good – the reasons and rationale for interception is broadly similar to that under the old law. But the operative part of the Government powers will be contained in any rules and subordinate legislation that define the actual parameters of such interception. Would these reflect the old Rule 419A of the Telegraph Rules, or would the Government take this opportunity to ‘streamline’ the way in which it can access telecom messages and calls?


Whatever form the final Telecom Bill and its rules take, they will likely have an impact beyond the interception of SMSs and phone tapping. India is also contemplating replacing its 20 year old Information Technology Act with an updated ‘Digital India Act’ . The reframing of India’s digital regulations may present a similar opportunity for the Government to apportion to itself additional powers of data access and surveillance. There has been a trend towards increased surveillance in recent Indian laws, including those ostensibly dealing with cybersecurity and intermediary rules.


What happens next?


The draft Telecom Bill is currently out for public consultations under mid-October 2022, post which it may be revised to reflect inputs received. There has already been a substantial backlash against the new draft law imperilling encrypted messaging applications and justifying communications blackouts . Whether this will make the Government step back and revise the draft law is uncertain; in recent times, while the Government has withdrawn one unpopular draft law from circulation (the Personal Data Privacy Bill, 2019), in other cases it has forged ahead unheeding of criticism (most recently, in Cyber incident reporting directions that require notification of a breach within 6 hours).


As this author noted in an earlier piece , Indian jurisprudence around telephone tapping has been headlined by Indian courts seeking to place fetters on the State’s power to access information and data. Indian courts’ continued willingness to push back against Government surveillance orders is ultimately derived from the law they are called upon to enforce. Diluting protections under the underlying laws is the surest way to bypass judicial review of such matters. But doing so also has far reaching consequences, in that the overall standard of protection available to individuals (Indian or foreign) in India may be diluted. And this may have consequences, in turn, when evaluating the adequacy of protections in India.

But will this realization be enough to curtail the Government’s recent penchant for surveillance? An interesting few months lie ahead of those of us who follow data privacy developments in India.

 

Originally published by International Network of Privacy Law Professionals (INPLP).