The Telecommunications Act 2023 Meets the DPDP Act: Who Regulates Telecom Data?

I. Context

India’s telecommunications service providers occupy a singular position in the country’s emerging data-governance architecture. They are, by the nature of their operations, among the largest processors of personal data in the country subscriber identity, call detail records, traffic data, location data, device identifiers, and increasingly, data generated by value-added and OTT-adjacent services. This data is subject to a layered and imperfectly reconciled set of obligations arising from the Telecommunications Act, 2023, the conditions of unified access service and other DoT licences, the Telecommunications (Telecom Cyber Security) Rules, 2024, the Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024, and once its substantive provisions commence the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.

The two principal statutes, the Telecom Act and the DPDP Act, were enacted within months of each other. They address the same underlying subject matter the processing of personal information by large-scale entities from different vantage points and with different institutional architectures. The Telecom Act is a sectoral statute administered by the Department of Telecommunications and the Telecom Regulatory Authority of India. The DPDP Act is a horizontal statute to be enforced by the Data Protection Board of India. Where the two regimes overlap, neither expressly yields to the other, and the DPDP Act’s preservation clause which provides that its obligations do not derogate from more restrictive obligations under other laws creates as many questions as it resolves.

This article maps the points of intersection and divergence between the two regimes as they apply to telecom entities, identifies the unresolved jurisdictional questions, and sets out the contractual and operational measures telecom operators and their vendors should put in place before the DPDP substantive obligations commence on 14 May 2027.

II. The Telecom Act’s Data Provisions

The Telecommunications Act, 2023, which received Presidential assent on 24 December 2023 and whose provisions have been brought into force in stages, replaces the Indian Telegraph Act, 1885 as the primary legislation governing telecommunications in India. Its data-relevant provisions fall into three categories: lawful interception, cyber security, and identity verification.

Lawful interception. Section 20 empowers the Central Government or a State Government to direct the interception, monitoring, or disclosure of any message or class of messages transmitted through a telecommunication network or service, on grounds including the sovereignty and integrity of India, security of the State, friendly relations with foreign states, public order, and the prevention of incitement to offences. The Lawful Interception Rules, 2024, issued under sections 20(2)(a), 20(4), and 56(2)(t)-(u), prescribe the procedure: interception orders must be in writing, issued by the competent authority (the Union Home Secretary or the State Home Secretary), and reviewed bi-monthly by a Review Committee. Intercepted records must be maintained with secrecy and destroyed every six months unless required by a court order or operational necessity. The penalty for unauthorised interception is imprisonment of up to three years, a fine of up to two crore rupees, or both.

Cyber security. The Telecommunications (Telecom Cyber Security) Rules, 2024, impose obligations on telecom entities to protect their networks and the data processed through them, including the reporting of security incidents to the designated authority. These rules operate alongside, and in addition to, the CERT-In Directions of April 2022, which independently require six-hour incident reporting for cyber events.

Identity verification. Section 4 of the Telecom Act requires telecom entities to verify the identity of their subscribers. The Act contemplates that verification may be conducted through verifiable biometric-based identification, a provision that has attracted criticism on proportionality grounds given the sensitivity of biometric data. The biometric data collected and processed for this purpose is itself personal data within the meaning of the DPDP Act, creating a nested compliance obligation: the verification process mandated by the Telecom Act must itself comply with the data-processing requirements of the DPDP Act once they come into force.

Traffic data and CDR retention. Existing DoT licence conditions require telecom service providers to retain call detail records for a period of two years. The Telecom Cyber Security Rules do not specify a limit on the retention of traffic data. This stands in tension with the DPDP Act’s requirement that personal data be erased once the purpose of processing has been fulfilled. A CDR retained for two years under a licence condition may, after May 2027, simultaneously be subject to a DPDP obligation to erase it once its specified processing purpose is complete.

III. The DPDP Overlay

A telecom service provider processing digital personal data of individuals in India is a Data Fiduciary within the meaning of the DPDP Act. The scale of data processed makes it highly probable that major TSPs will be designated as Significant Data Fiduciaries, with the heightened obligations that designation carries: appointment of a DPO based in India, an independent data auditor, periodic DPIAs, and algorithmic-risk verification under Rule 12 of the DPDP Rules.

The DPDP Act’s substantive obligations, commencing 14 May 2027, will require TSPs to issue notices to Data Principals specifying the personal data collected and the purposes of processing; to obtain consent where processing is not covered by a legitimate use; to honour access, correction, and erasure requests; to implement reasonable security safeguards; and to notify the Data Protection Board and affected Data Principals in the event of a personal data breach, without delay and with a detailed report within seventy-two hours.

These obligations apply in addition to, and not in substitution of, the obligations under the Telecom Act and DoT licences. The DPDP Act expressly provides that nothing in it derogates from obligations imposed under any other law that are more restrictive. The practical consequence is that a TSP must satisfy both regimes simultaneously, and where they conflict, the more demanding obligation prevails.

IV. Points of Collision

Retention versus erasure. The most immediate collision is between the Telecom Act’s data-retention requirements and the DPDP Act’s purpose-limitation and storage-limitation principles. A TSP that retains CDRs for two years under its licence conditions may face a Data Principal’s erasure request under the DPDP Act before that period expires. The DPDP Act’s preservation clause likely protects the TSP’s retention obligation under the licence, but the analysis must be conducted item by item, because not all telecom data is retained under a mandatory licence condition. Traffic data, location data, and metadata retained beyond the period necessary for the specified purpose may not benefit from the preservation clause and may be subject to erasure.

Interception and consent. Lawful interception under Section 20 of the Telecom Act does not require the consent of the Data Principal. The DPDP Act’s consent architecture does not apply where processing is required under law. However, the TSP’s obligation to provide notice to the Data Principal under the DPDP Act sits uncomfortably with the secrecy requirement of the Interception Rules. A TSP cannot disclose the fact of an interception to the affected subscriber, yet the DPDP Act requires that the Data Principal be informed of the purposes of processing and the entities with whom their data is shared.

Breach notification. A cyber-security incident affecting a telecom network may simultaneously trigger reporting obligations under the Telecom Cyber Security Rules, the CERT-In Directions, and the DPDP breach-notification regime. Each regime has its own timeline, recipient, and format. The TSP must report to the designated telecom authority, to CERT-In within six hours, and to the Data Protection Board and affected Data Principals under DPDP. Compliance with one does not discharge the others.

Jurisdictional ambiguity. Where a Data Principal lodges a complaint about the processing of their telecom data, the question arises: does the complaint lie before the Data Protection Board under the DPDP Act, or before TRAI under the Telecom Act’s consumer-protection provisions? The two institutions have different mandates, different remedial powers, and different procedural frameworks. The result is a potential for concurrent jurisdiction and inconsistent outcomes.

The jurisdictional question has substantive implications. If a Data Principal complains that a TSP has failed to erase their personal data, and the TSP defends on the basis that it is required to retain the data under its licence conditions, the adjudicating body must determine whether the licence condition constitutes a more restrictive obligation under another law. The DPB may lack the sectoral expertise to evaluate the scope and binding force of DoT licence conditions. TRAI, conversely, lacks the mandate to adjudicate on DPDP compliance. Until the legislature or the courts clarify the institutional boundary, TSPs face the prospect of defending the same processing activity before two bodies with potentially different conclusions.

A related question concerns the interaction between the DPB’s penalty jurisdiction and the Telecom Act’s penalty provisions. The DPDP Act provides for financial penalties of up to two hundred and fifty crore rupees for failure to implement reasonable security safeguards. The Telecom Act provides for imprisonment of up to three years and fines of up to two crore rupees for unauthorised interception. A single security incident could expose a TSP to penalties under both statutes, imposed by different bodies, without a mechanism for coordination or set-off.

V. The Biometric Verification Problem

Section 4 of the Telecom Act requires telecom entities to verify the identity of their subscribers, and contemplates verification through biometric-based identification. The collection of biometric data engages the DPDP Act on multiple fronts. Biometric data is personal data; its collection for verification is processing that requires a lawful basis. The most natural basis is the compliance-with-law legitimate use, since the Telecom Act mandates the verification. However, the DPDP Act’s notice requirement still applies: the TSP must inform the subscriber of the personal data being collected and the purpose of processing. The collection of biometric data also raises children’s-data issues, since the DPDP Act imposes a distinct regime for processing of data relating to individuals under eighteen, including verifiable parental consent.

The proportionality of biometric verification has been questioned. The Supreme Court in Justice K.S. Puttaswamy v. Union of India held that any measure infringing upon the right to privacy must satisfy tests of legality, legitimate aim, proportionality, and procedural safeguards. Whether biometric collection for telecom subscriber verification satisfies these tests, particularly when less intrusive alternatives exist, is a question that may be tested before the courts. TSPs implementing biometric verification must design the process to comply with both the Telecom Act mandate and the DPDP Act’s notice, purpose-limitation, and storage-limitation requirements.

VI. The SDF Dimension

The designation of a telecom service provider as a Significant Data Fiduciary under Section 10 of the DPDP Act introduces an additional layer of obligation. Rule 12 of the DPDP Rules requires every SDF to undertake due diligence to verify that its technical measures, including algorithmic software, do not pose a risk to the rights of Data Principals. For a TSP, algorithmic software could encompass network-management algorithms, automated subscriber-profiling systems, targeted-advertising engines, and fraud-detection tools, each processing personal data at scale.

The SDF must also appoint a Data Protection Officer resident in India, appoint an independent data auditor, and conduct periodic Data Protection Impact Assessments. These requirements overlap with, but do not duplicate, the governance obligations already imposed on TSPs under DoT licence conditions and TRAI regulations. A TSP that is also an SDF will maintain parallel governance structures. The risk is not merely administrative duplication but substantive inconsistency, where the DPIA identifies a data-protection risk in a processing activity that the TSP is mandated to perform under its licence or the Telecom Act.

The SDF regime also imposes cross-border transfer restrictions. An SDF may be required to ensure that personal data and associated traffic data are not transferred outside India. This restriction would interact with the operational reality that many TSPs use global infrastructure providers for network management, cloud services, and data analytics. The contractual and technical measures required to isolate Indian personal data from cross-border processing chains are substantial, and they must be in place before the SDF obligations commence.

VII. Contractual and Operational Implications

The dual-regime exposure has direct implications for the contractual architecture through which TSPs engage vendors, managed-service providers, equipment suppliers, and platform partners.

Processor contracts. Any entity processing personal data on behalf of a TSP is a Data Processor under the DPDP Act. The TSP, as Data Fiduciary, bears primary accountability. Processor contracts must address both the DPDP obligations and the Telecom Act obligations, including lawful-interception cooperation, data-retention requirements, and cyber-security incident reporting. The contracts must reconcile the DPDP Act’s erasure obligations with the Telecom Act’s retention requirements, specifying which categories of data are retained under mandatory licence conditions and which are subject to erasure upon fulfilment of purpose.

Incident response. TSPs should build a unified incident-response framework that triages a single event simultaneously against the Telecom Cyber Security Rules, the CERT-In Directions, the DPDP breach-notification requirements, and any applicable TRAI or DoT reporting obligations. The six-hour CERT-In clock is the binding constraint, but the DPDP obligation to notify affected Data Principals introduces an additional workstream with no analogue in the telecom-specific reporting obligations.

Privacy notices. TSPs will need to issue DPDP-compliant notices to subscribers that accurately describe the personal data collected, the purposes of processing, the basis of processing, and the Data Principal’s rights while remaining silent on matters covered by interception secrecy requirements. The notice must be drafted to be accurate and complete without disclosing the existence or possibility of lawful interception, a drafting exercise that requires careful legal judgment.

VIII. Conclusion

The Telecommunications Act, 2023 and the DPDP Act, 2023 were enacted to address different dimensions of the same underlying reality: the processing of vast quantities of personal data by entities operating critical digital infrastructure. Their concurrent application to telecom service providers creates a compliance environment that is layered, imperfectly reconciled, and jurisdictionally ambiguous. The retention-versus-erasure tension, the interception-versus-notice paradox, the multi-regime breach-reporting obligation, and the unresolved question of institutional jurisdiction between the DPB and TRAI are not theoretical concerns; they are operative compliance questions that will confront every major TSP when the DPDP substantive obligations commence in May 2027.

Telecom operators that build their compliance architecture around either statute in isolation will find that the other imposes obligations they have not prepared for. The prudent course is to map every category of personal data processed against both regimes, identify the points of collision, resolve them by reference to the preservation clause and the principle that the more restrictive obligation prevails, and embed the resolution in processor contracts, incident-response plans, and privacy notices before the DPDP enforcement date arrives.

This article is provided for general information and does not constitute legal advice. Organisations should obtain advice tailored to their specific circumstances and regulatory status.