Private telecom operators have sought two years to comply with the provisions of the Digital Personal Data Protection (DPDP) Act after the rules are notified, flagging compliance burden.
Earlier this month, telcos held an initial round of talks with the department of telecommunications (DoT) on DPDP rules and raised several issues, including the role and responsibilities of consent managers, compliance burdens, and duplication of processes, sources told Moneycontrol.
“The demand is that the industry needs the requisite amount of time to implement the changes, as there are many aspects to address. We need at least two years to implement them,” a telecom executive who attended the meeting told Moneycontrol on condition of anonymity.
“The second major ask was to avoid duplication. As part of license agreements, telcos already follow and comply with many rules. There has to be synergy between the DoT and MeitY,” the executive said.
The operators also raised concerns about the increasing compliance requirements and regulatory overreach associated with the new rules, the executive said.
“Today, telcos offer multiple services besides mobile, such as DTH and broadband. There has to be a unified solution. We should not have to follow separate processes for each service,” the executive added.
The Ministry of Electronics and Information Technology (MeitY) on January 3 released the draft rules for the DPDP Act to public and has sought feedback till February 18. The deadline is likely to be extended.
The draft rules released on propose additional obligations for significant data fiduciaries (SDF). One of such obligations include restrictions on transferring specific personal data, which a yet-to-be-appointed committee, outside the country will decide.
Telecom operators will likely be classified as significant data fiduciaries (SDFs) under the DPDP Act due to the vast volumes of personal data they handle. Data fiduciaries include all entities (such as telcos) that process personal data of individuals in India.
The operators are expected to include these requests in their comments to the government on the draft rules.
The 24-month timeline will allow telecom operators to modify their customer application forms (CAFs) and adapt their existing technological frameworks to manage user consent for data usage and processing effectively.
Under the new Act, telecom operators' practices for using personal data for marketing communications and sharing data with third parties — such as bundled services offering OTT subscriptions or digital payment add-ons — will also require explicit user consent.
They will also need to implement new technical frameworks, necessitating significant operational changes.
A second executive said telcos discussed these issues with DoT officials during the meeting. “Topics discussed included the role and responsibilities of consent managers, data erasure processes, handling data of past customers, and redressal mechanisms,” the executive said.
Experts expect provisions such as promptly notifying users of a personal data breach and data localisation norms will prompt intense discussions between telcos and the DoT as well as MeitY.
Shreya Suri, partner at law firm IndusLaw, told Moneycontrol that data localisation requirements could significantly impact international calling and messaging services. “If the draft rules are finalised in their current form, it could be operationally challenging for telecom service providers to implement them,” she said.
The draft rules prohibit the transfer of specific personal or traffic data outside India if the government identifies such data based on recommendations from a newly constituted committee.
“Data and voice-related traffic must flow between telecom operators, especially in the case of cross-border or international calls. This traffic naturally qualifies as personal data, including details like caller ID and phone numbers. On the first analysis, this could be problematic. We anticipate extensive deliberation and consultations on this particular aspect,” Suri said.
Union Minister for Electronics and IT (MeitY), Ashwini Vaishnaw, on January 23, emphasised India’s approach to cross-border data transfers under the Digital Personal Data Protection (DPDP) Rules, 2025, describing it as one of “free transfer with trust.”
"There was a little bit of clarity that people wanted about cross-border data transfer, which I think we have already clarified, that our approach is free transfer with trust," Vaishnaw said in an interview to Moneycontrol on the sidelines of the World Economic Forum in Davos, Switzerland.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
