The Telecommunications Act, 2023, hereafter referred to as “the Act”, marks a significant overhaul in India’s telecommunications legal framework. It was introduced in the Lok Sabha on Dec 18, 2023, and in the Rajya Sabha on Dec 21, 2023. Thereafter, it received Presidential assent on Dec 25, 2023, and was subsequently notified, signifying its enactment into law.
At the heart of the Act are several key provisions that have sparked considerable discussion and debate. These include Section 20(2), which pertains to the interception of telecommunications; Section 3(7), which mandates biometric identification for user verification; and Section 20(2)(b), which grants extensive powers to the government for suspension of telecommunication services. Each of these sections has significant implications for privacy, governmental oversight, and the balance between national security and individual freedoms.
The present article aims to analyse the repercussions of the above key provisions, particularly in light of India’s expected coming into force of the Digital Personal Data Protection Act, 2023.
Interception
Section 20(2) of the Act enables interception of telecommunications. The provision borrows language, to a large extent, from the Act it replaces – Section 5(2) of the Indian Telegraph Act, 1885.
Interception of communications finds mandate across several legislations in India. At present, it is lawful under Section 69(1) and (2) of the Information Technology Act, 2000; The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009; The Indian Telegraph Act, 1885; and Rule 419A of the Indian Telegraph Rules, 1951.
The statutory procedure to carry out interception is hence laid out. It is specified that only the authorized personnel – under Rule 419A, the Secretary to Government of India, MHA, or Secretary to State Government, Home Department can pass such orders. In ‘unavoidable’ circumstances, the Joint Secretary to the Government of India may also pass orders.
A host of safeguards were instilled in the statutory text. For instance, Rule 419A(3) states that interception orders shall be passed only if alternative (and reasonable) means of acquiring the information is not a possibility. The name and designation of the authority issuing the order is to be disclosed in the order. The interception order would further cease to operate after 60 days, unless renewed, but cannot continue after 180 days. Each order must contain reasons in writing, which would be forwarded to a Review Committee within 7 working days.
All such safeguards have been removed from the current Act. What remains is simply that, “[procedure and safeguards] as may be prescribed”.
The result? A dilution of necessary procedural safeguards required of any law which may impact individual privacy. The substantive and procedural safeguards can be expected to be introduced through subordinate legislation, i.e., rules. However, failure to incorporate it in the text of statute itself is worrisome. Inculcating safeguards within the statute enables certainty and robustness for all stakeholders. The Act has failed to capitalize on the opportunity to introduce much-needed changes, such as the lack of any independent oversight of interception orders – independent of the Executive.
Data transfer agreements between jurisdictions have been invalidated on similar grounds. The Court of Justice of the European Union (CJEU) in the case of Maximillian Schrems vs Data Protection Commissioner, (2015) C-362/14 invalidated the EU-US Safe Harbour mechanism for facilitating cross-border data flows from EU to US on grounds of US intelligence agencies having overbroad powers to access citizens’ communications data. The European Court of Human Rights (ECJ) in the case of Ekimdzhiev & Ors. vs Bulgaria, Application No. 70078/12, found a violation of Article 8 of the European Convention on Human Rights on grounds of lack of sufficient independence of the oversight mechanism in place.
The recent passing of the Post Office Bill, 2023 in the Rajya Sabha is another example of wide powers of interception being granted to the Central Government to carry out interception of written postal communications.
The exercise of such discretionary authority may constitute violation of the Fundamental Right to Privacy under Article 21 of the Constitution. Further, such wide powers infringe upon the right to informational privacy, as held by the Supreme Court in the landmark decision of Justice KS Puttaswamy vs Union of India & Ors. (2017).
It must be reiterated that surveillance and interception of communications if carried out, must be on narrowly tailored grounds. The existence of robust safeguards, such as independent oversight, timelines for interception orders, and review of orders, are necessary to avoid possible misuse.
Biometric Identification for User Verification
Section 3(7) of the Act states that entities which have been authorised to provide telecommunication services, are now required to ‘identify’ whom they are providing such service to, using ‘any verifiable biometric based identification’.
Requiring entities to verify the identity of an individual through biometrics would constitute a restriction under Article 21 of the Constitution. It also brings into question whether such a provision would meet the test of proportionality, under which the State must be able to demonstrate that the measure adopted is the least restrictive, and alternatives are not available to achieve this purpose. The determination of ‘verifiable biometric based identification’ has also been delegated to rules prescribed under the law, leaving this provision a broad mandate upon both telecom entities as well as every user. It is also not clear why the collection of biometric data is the prescribed method for verifying user identity, and adds to the range of personal data already collected by entities at large for provision of services. With collection of data as sensitive as biometrics, and in the absence of permitting alternate identity proofs, this provision does not meet the test of proportionality.
The provision also applies to any user who may avail a wide range of services: whether it is subscribing to an online service, creating an online profile or even buying a SIM card. Such measures are likely to result in an increase of profiling of each user. Widespread usage of biometrics can have the effect of undermining the right of an individual to remain anonymous, as observed by J. Chandrachud in Justice K.S. Puttaswamy vs Union of India & Ors. (2017).
Under the Digital Personal Data Protection Act, 2023, a Data Fiduciary is required to retain personal data of a Data Principal if required to do so for a legitimate purpose under the law, and additionally must undertake reasonable security safeguards to protect their personal data. No specific period has been prescribed for retention of biometric data of a user under the Act. This would further increase compliance costs for entities in setting up adequate secure systems to collect, store and protect biometric data of each user that avails their service. Users face a mandatory requirement to submit biometric data, but likely cannot request to withdraw this data since it is mandated under this law, thereby resulting in sensitive data being retained for uncertain periods of time. It also leaves entities vulnerable to increased threats of breach and data theft, which in the case of biometric data, can have severe consequences in case of misuse.
Internet Suspension
Section 20(2)(b) of the Act, grants the Central Government, State Governments, or authorised officers the power to suspend telecommunication services or classes of services in the interest of public safety or sovereignty. It allows the government to take necessary measures during emergencies or in the interest of public safety. Concerningly, the guardrails for this power do not find mention under the Act and are expected to be introduced through Rules.
Through this, the Government has given itself the wide grounds and authority to direct the suspension of any telecommunication service or class of services transmitted or received by any telecommunication service or network, without any substantive checks and balances.
In the absence of clear guidelines on the exercise of such wide power, possibilities of arbitrariness or misuse through reactive suspension of telecommunication services may become more common. India presently sits atop the list of countries imposing Internet Shutdowns, with close to 800 internet shutdowns (Internet Shutdowns Tracker by SFLC.in, accessible at https://internetshutdowns.in/).
The suspension of telecommunication services infringes upon the Right to Freedom of Speech and Expression, guaranteed under Article 19(1)(a) of the Constitution of India. The Act also amends the TRAI Act, which may affect the regulation of telecommunication services in India. The new provisions in the Act may require the TRAI to play a more significant role in overseeing the suspension of telecommunication services under Section 20(2)(b).
The Supreme Court’s judgement in Anuradha Bhasin v. Union of India (2020) declared that suspending internet services is a drastic measure that must adhere to the tests of necessity and proportionality. The Court laid down procedural safeguards for suspending internet services, including the requirement to publish internet suspension orders and ensure periodic review of the suspension. However, despite these guidelines, there have been instances where states have unlawfully suspended telecom and internet services by not following the prescribed procedures. However, as is seen, the Act has failed to take into account the guidelines passed by the Court.
The potential for misuse and the impact on fundamental rights, particularly the freedom of speech and expression, must be carefully considered in the context of the Anuradha Bhasin decision. Furthermore, the provision should be evaluated to ensure that it aligns with the principles of necessity, proportionality, and procedural safeguards outlined in the Anuradha Bhasin judgement.
Conclusive Remarks
The Telecommunications Act, 2023 represents a pivotal shift in India’s telecommunications and digital privacy landscape. While the Act attempts to modernize the regulatory framework, it raises significant concerns regarding the dilution of procedural safeguards, potential infringements on privacy rights, and the broadening of governmental powers in the interception and suspension of telecommunication services. These issues not only challenge the foundational principles of individual freedoms and privacy but also call for a stringent review of the Act’s alignment with constitutional mandates and international human rights standards. It is imperative that future amendments or subordinate legislation under this Act address these concerns, ensuring a balanced approach that upholds the right to privacy and freedom of expression while catering to national security needs. The Act’s current form necessitates careful scrutiny and proactive engagement from all stakeholders to safeguard the fundamental rights enshrined in the Constitution of India.