日本人

The Regulatory Evolution of Telecommunication Privacy Laws in India

Home     Articles      The Regulatory Evolution of Telecommunication Privacy Laws in India

The Regulatory Evolution of Telecommunication Privacy Laws in India

November 12, 2025

Written by Ayushi Raghuvanshi

The telecommunications sector in India has undergone a transformation, evolving from a state-controlled monopoly into a competitive landscape. With this expansion has come a growing need to safeguard the privacy of its billions of telecom users, which has led to a constant evolution of legal frameworks. India’s telecom regulatory journey has evolved from a colonial-era framework emphasizing government control to a contemporary legal structure addressing the complexities of digital communication, underscoring a growing commitment to safeguarding individual privacy rights.

The Indian Telegraph Act of 1885[1] (“Act of 1885”) established the framework for this regulation. The law, which was passed under the British Raj, mainly gave the Central Government responsibility over the installation and operation of telegraphs, the then-emerging communication technology. The legislation primarily focused on government control over telecommunication infrastructure and did not explicitly address privacy concerns as understood in the modern context. Consequently, Section 5(2) of the Act, 1885 became one of the significant provisions. It empowered the government to intercept, detain or disclose messages under specific circumstances, such as during a public emergency, in the interest of public safety, the sovereignty and integrity of India or friendly relations with foreign states. While the provision was intended for national security purposes, its broad and discretionary language raised concerns about potential misuse and unchecked state power over private communications.

To put these powers into practice, the Indian Telegraph Rules, 1951[2] (“Rules”) were introduced. Rule 419A set out the procedure for lawful interception, stating that such orders could be issued only by the Secretary to the Government of India in the Ministry of Home Affairs or by the Secretary of the Home Department of a State Government. Although this rule introduced some procedural safeguards, the overarching framework of government interception remained controversial in an increasingly privacy-concern world. Notwithstanding, the Act of 1885 remained the main piece of legislation controlling telecommunications for more than a century. Its limitations became evident with the emergence of mobile phones, the internet and digital communication technologies that it was never designed to regulate.

The liberalization of the telecommunications sector in the 1990s marked a watershed moment in its regulatory and economic trajectory. The opening of the market to private participants not only catalysed unprecedented growth but also necessitated the creation of specialized regulatory institutions to ensure orderly development and fair competition. In this context, the Telecom Regulatory Authority of India (“TRAI”) was constituted in 1997 as an independent statutory body entrusted with the mandate to regulate this sector, safeguard consumer interests and promote a level playing field among service providers. Simultaneously, the Department of Telecommunications (“DoT”), operating under the Ministry of Communications retained its central position in the policy formulation, licensing and spectrum management, thereby maintaining a crucial balance between regulatory oversight and governmental policy control. It was through the DoT’s licensing framework that privacy considerations were formally embedded into the operational responsibilities of Telecom Service Providers(“TSPs”). The introduction of Unified License (UL) conditions in 2013 marked a significant development, imposing a series of privacy-specific obligations on TSPs to ensure the protection of user data and communications:

  • Privacy of Communications: TSPs are required to ensure the privacy of communications and prevent unauthorized interception or disclosure of messages, placing a direct obligation on service providers to protect user data.
  • Data Retention: Licensees must maintain all commercial records, call detail records (CDRs), exchange detail records (EDRs) and Internet Protocol (IP) detail records for at least one year for security scrutiny by the DoT. While this supports law enforcement, it raises questions about the necessity and scope of such extensive data retention.
  • Data Localization: UL conditions restrict the transfer of certain accounting and user information outside India, with limited exceptions for international roaming, billing or foreign subscribers. This ensures that sensitive Indian user data largely remains within the country’s jurisdiction.
  • Lawful Interception and Monitoring: In line with the powers conferred under theAct of 1885, the UL conditions obligate TSPs to provide access to call data and other electronic communications upon lawful government requests. TSPs are required to facilitate interception and monitoring of communications and to enable designated officials to monitor telecom traffic at technically feasible points. These obligations highlight the ongoing challenge of balancing national security interests with individual privacy rights.

One of the most persistent privacy intrusions faced by telecom users in India has been Unsolicited Commercial Communication (UCC) commonly known as spam calls and messages. To address this issue, TRAI introduced several regulations, with the Telecom Commercial Communications Customer Preference Regulations, 2018[3], (“TCCCPR, 2018”) standing out as a landmark initiative.

The TCCCPR, 2018, introduced a framework aimed at curbing unsolicited commercial communications, emphasizing consumer preferences and consent. Its key features included:

  • Customer Preference Registration: Consumers could register their preferences for receiving commercial communications either fully blocked or partially blocked through the National Customer Preference Register (NCPR).
  • Distributed Ledger Technology (DLT): The regulation introduced blockchain-based DLT platforms to record and manage customer consents and preferences, ensuring transparency and immutability.
  • Sender ID and Template Registration: Telemarketers were required to register sender IDs (headers) and content templates for their messages to prevent arbitrary or misleading sender information.
  • Categorization of Messages: Commercial messages were classified as Promotional, Service, Transactional or Government, with each category carrying specific prefixes or suffixes to help users identify the nature of the message.

Furthermore, in response to the growing sophistication of spam tactics, TRAI further fortified these regulations through the TCCCPR (Amendment), 2025[4], which introduced a series of enhanced measures to ensure stronger consumer protection:

  • Simplified Spam Reporting: The process for reporting spam was made easier, allowing consumers to file complaints with minimal details even without prior registration. The time limit for reporting spam was extended from 3 to 7 days, while TSPs were required to act within 5 days reduced from the previous 30 day period.
  • Stronger Consumer Control: All promotional messages must now include a clear opt-out option. The amendments also introduced consent expiry timelines and prohibited senders from requesting renewed consent from customers who have opted out for at least 90 days.
  • Strict Action Against Spammers: Repeat violators face stringent penalties, including suspension of telecom resources. The use of 10 digit numbers for telemarketing has been banned, with a new 1600 series number range introduced for legitimate transactional and service calls, helping users distinguish them from spam.
  • Enhanced Compliance and Detection: Telecom operators now face financial penalties for non-compliance. Senders and telemarketers must undergo biometric verification and sign legally binding agreements with access providers. Operators are also required to analyse call and SMS patterns, deploy “honeypots” to detect spam trends, and ensure traceability of all commercial communications.

As India’s regulatory framework evolved, the judiciary played a crucial role in shaping the discourse on privacy. In the landmark case of K.S. Puttaswamy v. Union of India[5], the Supreme Court unanimously recognized the Right to Privacy as a fundamental right under the Constitution. The judgment had significant implications for all legislation governing personal data, including telecom regulations. It underscore that any intrusion into privacy must be based on law, serve a legitimate state purpose, be proportionate to the need, and include procedural safeguards setting a constitutional benchmark for future policymaking.

As India’s telecom sector evolved, the necessity to replace the outdated  Act of 1885 became increasingly pressing. This culminated in the enactment of the Telecommunications Act, 2023[6], which came into force in June 2024. The new legislation modernizes India’s telecom legal framework, addressing contemporary challenges and embedding privacy considerations more explicitly. The key privacy related aspects of the Telecommunications Act, 2023, include:

  • Modernized Definitions: The Act updates the definitions of “telecommunication services” and “telecommunication network” to encompass modern communication technologies.
  • Lawful Interception Framework: The Act maintains the government’s authority to intercept communications while aligning with the principles laid down in the Puttaswamy judgment, striving to balance national security imperatives with the protection of individual privacy. Nonetheless, the sufficiency and effectiveness of these safeguards continue to be a subject of debate.
  • Consent Requirements: The Act introduces provisions related to user data processing, emphasizing consent as a central principle aligning with emerging global data protection standards.
  • Digital Identity and User Authentication: It establishes a framework for digital identity and user authentication, aimed at reducing anonymity and enhancing accountability in communications. While this aids in tracing malicious actors, it also raises questions about potential surveillance.
  • Obligations for Service Providers: The Act strengthens TSP obligations regarding network security, data protection, and adherence to privacy norms.
  • Replacement of Outdated Rules: Importantly, the Telecommunications Act, 2023, repeals the Act of 1885. Correspondingly, Rule 419A of the Rules of 1951, has been replaced by the Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024, which provide a more structured and procedurally sound framework for lawful interception under the new regime.

India’s trajectory in telecom privacy regulation has been both dynamic and evolutionary. From a colonial-era framework centred on state control to a contemporary regime that recognizes privacy as a constitutionally protected fundamental right, the sector has witnessed significant legal and regulatory progress. Nevertheless, the persistent challenge remains, to reconcile national security and law enforcement imperatives with the fundamental right to privacy.

The implementation of the Telecommunications Act, 2023, in conjunction with the Digital Personal Data Protection Act, 2023, is poised to play a pivotal role in shaping the future contours of digital privacy in India. In an era marked by AI-driven communications and increasingly sophisticated cyber threats, regulators must exercise vigilance, adaptability and foresight. In essence the telecom privacy landscape reflects a nation carefully navigating the challenges of the digital age, aiming to build a communications ecosystem that is both secure and respectful of individual privacy rights.

[1] Indian Telegraph Act, 1885, Act No. 13 of 1885, enacted on 18 March 1885, India.

[2] The Indian Telegraph (General) Rules, 1951, G.S.R. 739(E), dated 3 December 1990, India.

[3] Telecom Commercial Communications Customer Preference Regulations, 2018, notified by the Telecom Regulatory Authority of India (TRAI) on July 19, 2018, India.

[4] Telecom Commercial Communications Customer Preference (Amendment) Regulations, 2025, notified by the Telecom Regulatory Authority of India (TRAI) on February 12, 2025, India.

[5] AIR 2017 SC 4161

[6] The Telecommunications Act, 2023, Act No. 44 of 2023, enacted on 25 December 2023, India.

Categories

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.

    Samisti Logo

    Samisti Legal is a corporate law firm with an experienced set of inter-disciplinary legal professionals with an unwavering focus on providing advice based on the business intent.

    PRACTICE AREAS

    OFFICES

    Hyderabad | Mumbai | Bangalore

    Thank you for visiting our website.

    For regular updates, please follow us on:

     

    As per The Bar Council of India Rules and The Advocates Act, 1961, an advocate cannot approach his/her client or advertise or promote his profession by way of advertisements or solicitation. Thus the materials on this website are intended for informational purposes only. The materials on this website are neither intended to be, nor should they be interpreted as, legal advice or opinion. The reader should not consider this information to be an invitation to an attorney client relationship, should not rely on information presented here for any purpose, and should always seek the legal advice of counsel in the appropriate jurisdiction. Transmission and receipt of the information in this site and/or communication with the Samisti Legal LLP (“Samisti Legal / Firm”) via e-mail/ chat / blog or any other mode is not intended to solicit or create, and does not create, an attorney-client relationship between Samisti Legal and any person or entity. The information provided under this website is solely available at your request for informational purposes only, should not be interpreted as soliciting or advertisement…

    By accessing and using this site, the user expressly agrees with, and acknowledges, the following:

    • The user wishes to gain more information about Samisti Legal for his/her/its own information and use.
    • The user has not received any unsolicited invitation from Samisti Legal or any of its members or authorized representatives to view this website.
    • There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever to the user from Samisti Legal or any of its members or any authorized representative to solicit any work, including through this website.
    • The information about Samisti Legal is provided to the user only on his/her/its specific request, and any information obtained or materials downloaded from this website is completely at the user’s own volition.
    • Samisti Legal assumes no liability for the interpretation and/or use of the information contained or referred to on this website, nor does it offer a warranty of any kind, either expressed or implied.

    Agree Disagree