The Rajya Sabha Committee on Delegated Legislation has raised concerns about the Telecom Cybersecurity Rules, 2024. The committee, in its recent report, asked the government to clearly define what “traffic data” includes and to strictly limit data collection to what is necessary for telecom cybersecurity.
The panel criticized the use of vague terms like “any other data”, saying it could lead to privacy risks. It also noted that introducing new terms like Telecommunication Identifier User Entities (TIUEs) could make things worse. These terms are so broad they might apply to nearly any business, from a local shop to a fintech startup.
“The Committee, however, recommends that a mechanism of having a periodic review of the data-sharing framework to assess its effectiveness in enhancing telecom cybersecurity and address emerging privacy or security challenges be set up. Besides efforts towards regular engagement with stakeholders regarding the sharing process and evolving cybersecurity standards shall also be beneficial.”
The committee warned that the new definitions go against its previous advice to make the rules more specific and reduce confusion.
Background of the Rules
The government introduced the Telecom Cybersecurity Rules in 2024 under the Telecommunication Act of 2023. These rules allow the government and its agencies to request “traffic data or any other data” from telecom companies to ensure cybersecurity. However, the rules don’t define what traffic data includes, except to clarify that “it does not include message data.”
Key Meetings and Concerns
From February to March 2025, the committee held meetings with top telecom officials, including the Department of Telecom (DoT), the Telecom Engineering Centre, and the Cellular Operators Association of India (COAI).
COAI Director General Lt Gen Dr. S.P. Kochhar said that telecom companies don’t clearly understand what traffic data they need to share or when they must share it.
He also noted that the government allows sharing of traffic data analysis not just with law enforcement, but also with other telecom companies and users.
Kochhar recommended limiting this sharing to law enforcement only. He also urged the government to define “security incidents” clearly and only ask telecom firms to report major events.
Government’s Response
The Secretary of DoT explained that the rules form a broad framework to protect against telecom misuse, like fraud or digital arrests. The Ministry assured that it will use the data only for cybersecurity and that safeguards are in place to prevent unauthorized access.
The authorities clarified that they share only the analysis of the data, not the raw data itself. For example, if users face targeted cyber threats, this analysis helps alert them quickly.
Regarding security incidents, the government stated that its definition is in line with international standards such as those from the National Institute of Standards and Technology (USA) and MeitY’s April 2016 Notification.
Committee’s Recommendations
- Security Incidents: The committee agreed that a broad definition helps protect critical infrastructure, but suggested a tiered classification to help telcos focus on major threats first.
- Disclosures: It called for clear rules on when and how users are informed, including privacy safeguards and steps to protect telcos from reputational damage.
- The committee stated that the definition of a “telecommunication entity” is too broad and urged the government to refine it to prevent confusion between service providers and other players.
- Data Sharing Review: It urged the government to review the data-sharing process regularly and to involve stakeholders in discussions on cybersecurity best practices.
- Data Safeguards: The term “adequate safeguards” was found too vague. The committee asked for detailed technical and procedural guidelines to protect data confidentiality.
- The rules ban fraudulent messages, but the committee warned that the rules do not define the term. It asked the government to clearly explain what counts as a “fraudulent” message and how to determine it, noting that “an innocent person may unknowingly forward a fraudulent message.”
Also read: Major Data Breach at Allianz Life Exposes Personal Information of Customers
