Telcos seek DPDP-telecom rules syncing; COAI to submit proposals to Meity

The ministry notified the rules on November 14, bringing into effect the law

dpdp act india, india data protection rules, bundled consent india, user data privacy india, digital consent management, meity data rules, data fiduciaries india, india internet privacy law

BS Reporter New Delhi

4 min read Last Updated : Nov 27 2025 | 10:35 PM IST

Don't want to miss the best from Business Standard?

Telecommunications (telecom) service providers have flagged the need for aligning the Digital Personal Data Protection (DPDP) Rules with laws governing the telecom sector across areas such as security compliance frameworks, breach-notification requirements, and age-verification methodology for verifiable consent in the case of minors, among others.

For instance, on security compliance, carriers have said that the current framework in the telecom sector was highly detailed and resource-intensive. Therefore, under the DPDP Act, “a calibrated, risk-based approach consistent with global best practices and standards, aligned with established telecom-security norms” should be adopted by the Data Protection Board to ensure robust protection and an efficient compliance mechanism.

On the requirement of mandatory notification for data breaches (Rule 7), carriers have said that a proportionate reporting model, as followed in Japan and several European Union (EU) jurisdictions, should be adopted. Also, since there are multiple incident-reporting obligations under the Information Technology Act, Indian Computer Emergency Response Team (CERT-In) directions, guidelines by the Department of Telecommunications, and now the DPDP framework, harmonised timelines, and aligned procedures are essential.

This will “help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes,” said Cellular Operators Association of India (COAI) in a statement on Thursday. Key members of the association include Reliance Jio, Bharti Airtel, and Vodafone Idea.

The industry body said that it would send its set of recommendations to the Ministry of Electronics and Information Technology (Meity). The ministry notified the rules on November 14, bringing into effect the law which had been several years in the making.

COAI has proposed that CERT-In and the Data Protection Board consider adopting a unified breach-reporting timeline, with a single trigger and a harmonised reporting window applicable across all digital and telecom entities.

“A standardised incident-notification format, accepted by all competent authorities, would ensure that regulators receive timely, consistent and decision-useful information, without necessitating multiple parallel reports under differing timelines. This approach would be in line with the recent recommendations by the NITI Aayog panel, where they have proposed overhauling the nation’s regulatory framework to promote ease of living and ease of doing business,” the industry body added.

On reasonable security-safeguard mandates (Rule 6), the industry body has said that “reasonable security safeguards” should be assessed in a layered, risk-based manner, rather than through encryption and masking alone.

“From a sectoral standpoint, mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data,” it added, noting that the measures provide a robust defence-in-depth architecture for protecting digital personal data processed over telecom networks.

COAI reiterated that the age group of 16–18 be exempted from using SIMs, while adding that establishing verifiable consent for users below 18 years of age presents practical challenges and does not adequately reflect India’s diverse household structures. It noted that the age limit does not reflect the digital autonomy encouraged under various government initiatives.

Under the additional obligations mandated for Significant Data Fiduciary (Rule 13), COAI has proposed that Data Protection Impact Assessment (DPIA) requirements be risk-based rather than annual and prescriptive. “Rather, DPIAs conducted under recognised global frameworks, such as the General Data Protection Regulation (GDPR), should be duly recognised to avoid redundancy,” it added. GDPR is a EU law, also among the first such laws, on data protection and privacy.

COAI noted that current restrictions disallowing directors and key personnel from having any association with data fiduciaries may be overly stringent.

“Several established organisations in technology, financial, and telecom services possess the experience required to operate responsible consent-management systems,” it said, proposing that the blanket prohibition be replaced with safeguards against preferential treatment, such as declarations at the time of registration rather than mandating changes to corporate constitutions.

“COAI is of the view that either a single, interoperable consent-management layer be permitted for the telecom sector (for example, through a common industry consent manager or interoperable arrangements), or that it be clarified that telecom operators are not mandatorily required to use external consent managers where a robust, auditable internal consent-management system is in place, provided that such systems fully meet the DPDP standards on consent,” it added.

COAI had recommended adherence to the well-established legal principle that specific laws prevail over general laws. “A review and harmonisation of sector-specific regulations with the DPDP framework, along with clear interpretative guidance, would help minimise ambiguity and facilitate a smooth transition for all stakeholders,” it said while pointing to Section 38(2) of the DPDP Act, 2023, which accords the Act overriding effect over other laws in case of conflict.