Telecom operators such as Bharti Airtel and Reliance Jio have called for a single digital platform to report data breach incidents to different regulators and government departments in one go. The issue has been raised by the telecom operators during the ongoing consultations with the department of telecommunications (DoT) and the ministry of electronics and IT (MeitY) on the draft rules to implement the Digital Personal Data Protection (DPDP) Act.
This assumes significance as currently companies including the telecom operators have to report cyber security breach to Indian Computer Emergency Response Team (CERT-In) within six hours after detection. Once implemented, the DPDP Act, would require companies to report data breach incidents to the Data Protection Board as well as the data principal as soon as they come to know about it and additional details within 72 hours. Further, the Telecom Act also requires telcos to report cyber security incidents to the government within six hours of becoming aware and additional details on the impact of the incident within 24 hours.
Reporting of data breach incidents to different government departments would increase the burden on the operators, the telcos said, adding that there are certain provisions under the Act, which overlap with existing telecom sector laws.
Notably, Airtel and Jio on Thursday also gave presentations to DoT and MeitY officials on their readiness for the DPDP Act, the challenges and the need for an adequate time to comply with the Act after the rules come into force. Besides calling for a single platform for breach reporting, the companies flagged challenges on erasure of data provision after storing for three years, and issuing notice for seeking users’ consent in all 22 languages. The telcos said that children data verification, as well as coordination with multiple consent managers, will need changes in architectures and require higher compliance time.
“As telecom service providers, we are custodian of large subscriber data. We foresee building a consent management framework will require significant time and effort, considering the amount of subscribers we have and personal data which we are carrying,” Amit Mathur, head of data regulation and data architecture at Reliance Jio, said during his presentation.
According to Mathur, a digital mechanism could be there for reporting data breaches and the same can be automatically conveyed to all the entities.
Airtel echoed Jio’s views on the challenges and longer time for compliance. Shweta Singh, general manager, policy and strategy at Bharti Airtel said, “…it is under discussion with DoT that how can we streamline the process so that there can be a single set of reporting and that can satisfy the requirements of all ministries”.
On the provision related to data erasure and intimation to users before 48 hours, Singh said, this compliance will be irrelevant for telecom operators. This is because telcos are actually mandated to hold the consumer application form (CAF) of users and there is a huge possibility that the number is passed on to a different individual by the time the timeline for data deletion kicks in. The draft rules mandate some entities such as e-commerce platforms, online gaming services, and social media networks to delete the data three years after it is no longer needed.
Analysts said given their large user base, it will be challenging for telecom operators to manage data principal rights — such as access, correction, and deletion of data. Non-compliance could result in penalties of up to ₹250 crore, imposed by the Data Protection Board.
To ensure a smooth transition, the government is proposing a two-year time frame for businesses to comply with the new law. This will allow industries to adapt their systems and avoid operational disruptions.
The draft rules to implement the DPDP Act were released by the government for public consultations in January. The public consultations are open until February 18.
