Telecommunications and internet access
i Internet and internet protocol regulation
Internet protocol licensing, in India, is regulated by the DoT through UL under service areas, namely, UL-internet service provider (UL-ISP) under Internet Service (Category-A with all-India jurisdiction), Internet Service (Category-B with all jurisdiction in a service area), and Internet Service (Category-C with jurisdiction in a secondary switching area), along with UL-virtual network operator (UL-VNO) licences.
Under the UL-ISP, the licensee is authorised to provide internet access, including IPTV, internet telephony through public internet by the use of personal computers (PC) or IP-based customer premises equipment (CPE), unified messaging service, etc. The service provider is required to comply with all the conditions in the UL.
Similarly, VNOs are treated as an extension of network service operators (NSO) or telecom service providers (TSPs). Under the UL-VNO guidelines, the authorisation under UL-VNO is issued on a non-exclusive basis (i.e., without any restriction on the number of entrants for provision of any service in a service area). Moreover, the licence can only be granted to an Indian company, partnership firms or organisations established under the Shops and Establishment Act.23
The internet protocol currently used in India is IPv4, which is more than 30 years old. The wide use of internet, broadband, increase in subscribers and deployment of next generation network technology has led to increased consumption of IP addresses, resulting in delay and latches in network and exhaustion of IPv4 addresses. Therefore, DoT is planning to bring IPv6, which is the latest version of the protocol predominately used today.
The IPv6 was even recognised in the National Telecom Policy, 2012, in its preamble and objectives. The policy document for IPv6 was released by DoT in March 2013 to be implemented in India in a phased manner and in accordance with the NTP-2012.24 The latest revision of the implementation timeline, dated 2 November 2021 provides that the necessary action must be undertaken by all organisations to be IPv6 transaction-ready by 31 December 2022.25
In the updated licence terms, the DoT has reinforced compliance with the security conditions, as provided in the UL. The ISPs must also maintain commercial records, call detail records, exchange detail records and IP detail records with regard to the communications exchanged on their network for at least a period of one year.26
ii Universal service
Under the New Telecom Policy, 1999, universal service was provided as one of the main objectives, wherein universal service was aimed to be given to all uncovered areas. In light of the same, the Universal Service Support Policy dated 1 April 2002 was introduced. The guidelines for the same were issued on 27 March 2002.
The Indian Telegraph Act was amended in 2003 (see the Indian Telegraph (Amendment) Act, 2003) wherein the Universal Service Obligation Fund (USOF) was given a statutory recognition under Section 9A.27 Section 9B and 9C of the Act provide for crediting of sum to the consolidated fund and grants and loans by the government. Section 9D provides for administration and utilisation of the fund, wherein it states that the fund shall be utilised exclusively for meeting the Universal Service Obligation.
The resources for meeting the obligation are raised through the universal service levy, which is collected from service providers by raising a percentage of revenue earned by them under various licences. At present, the levy percentage is 5 per cent.28 Thereafter, the allocation is done through parliamentary approval.29
On 9 December 2020, 20.29 billion rupees were released from USOF to provide mobile coverage to 1,683 locations in Arunachal Pradesh and 691 locations in two districts of Assam.30 The DoT has also executed a project which provides for mobile services in 2,199 locations affected by left-wing extremists in Bihar, Chhattisgarh, Jharkhand, Maharashtra, Madhya Pradesh, Odisha, Telangana, Uttar Pradesh and West Bengal.31
In the 2022–23 Budget it was announced that 5 per cent of the annual collection under USOF will be allocated to enable affordable broadband and mobile services in remoter areas.32 Moreover, for better communication facilities and digital resources, the Union Budget announced a public–private partnership and awarded contracts for laying optical fibre in all villages through the Bharatnet project, completion of which is expected in 2025.33
On 1 July 2022, the DoT signed an agreement with Indian telephone Industries (ITI) Limited and BSNL with an aim to fund the pilot projects E-band, LTE indigenous technologies including integration of 4G/5G prototypes with C-DoT core. The USOF would be funding four pilot projects each of around 100 million rupees enabling the development of these technologies.34
iii Restrictions on the provision of service
TRAI is empowered to regulate charges for interconnection, termination and channel subscription. The Telecommunication (Broadcasting and Cable) Services Interconnection (Addressable Systems) Regulations, 2017 and tariff orders provides for obligations of broadcasters, television channels, and service providers along with reference connection offers, as provided by TRAI.
Thereby, on 9 March 1999, the Authority issued the Telecom Tariff Order, 1999 which allowed the consumers to choose the channels they wish to watch and pay only for them at maximum retail prices set by broadcasters, instead of the pre-set bouquets, as offered earlier. However, when the same was implemented, it, in turn, increased the cost for users because the cost of like-to-like channel options went up.
To bring down the cost of entertainment for the end consumer, TRAI announced amendments to the New Tariff Order on 1 January 2020. In the new amendment, TRAI imposed ceilings on prices of channels, bouquets and discounts, and reduced the cap on the maximum retail price of individual channels, which can form part of any bouquet, to 12 rupees from 19 rupees per month, which broadcasters said had not been backed by any logical rationale or consumer insight.
However, the Broadcast Associations challenged the same in the Bombay High Court35 and Supreme Court36 (however, the petition was later withdrawn on 15 February 2022). After no interim relief was granted by the Supreme Court and withdrawal of the petition, the broadcasters were ordered to comply with the New Regulatory Framework 2020 and submitted their Reference Interconnect Offer (RIO) to TRAI.
To address the issues identified by the stakeholders’ committee, which held discussions on 23 December 2021, the Authority issued the consultation paper for seeking stakeholders’ comments on points and issues which are pending for full implementation of the New Regulatory Framework.37
Interconnection is another commercial and technical arrangement between the service providers, wherein they facilitate connection between their equipment, services and networks, which enables better connectivity to consumers. For regulations relating to interconnection, Section 11(b) of the TRAI Act38 provides that the TRAI has the following functions, namely:
- fixing terms and conditions of interconnectivity between the service providers;
- ensuring technical compatibility and effective interconnection between different service providers; and
- regulating arrangement among service providers of sharing their revenue derived from providing telecommunication services.
Recently, in the case of CCI v. Bharti Airtel Ltd,39 the issue relating to interconnection was discussed when Reliance Jio requested the other service providers – namely, Bharti Airtel Limited, Vodafone India Limited and Idea Cellular Limited – to augment the point of interconnection for access, international long-distance, and national long distance services but the request was ignored by them. When Reliance Jio informed TRAI of the same, the Authority issued them with a show-cause notice for violation of Quality of Service of Basic Telephone Service (wireline) and Cellular Telephone Service Regulations, 200940 and Clause 27.4 of Part I of the Unified License. At the same time, an information order was also filed in the Competition Commission of India that the three service providers have an anticompetitive agreement causing appreciable adverse effects on competition in the telecommunication industry. As a cumulative penalty, the Department of Telecommunication imposed a 30.5 billion rupee fine on the service providers.
As far as statutory restrictions on sending of electronic direct messages are concerned, the Telecom Commercial Communications Customer Preference Regulations, 201841 have been issued by TRAI which regulates unsolicited commercial communication. The Regulations provide for a wide range of customer preference using distributed ledger technology, cloud-based solutions for handling consumer grievance, registration of senders, headers (which is a unique ID assigned to each telemarketer), and complete control over the consent of subscribers to allow or disallow telemarketers to send unsolicited phone calls and texts.
iv Privacy and data security
On 27 June 2022, Razorpay, a Bengaluru-based payment gateway was compelled to supply its customer data in a police investigation against Alt News’ co-founders who were allegedly receiving money from Pakistan, Australia, Singapore, Syria and UAE through the platform. This raised a critical privacy law issue as Razorpay users raised a concern that this action would leave them vulnerable to harassment as there was no safeguard against their misuse.42
This was similar to the case last year when Alibaba Group Holding Ltd’s cloud business in India got into serious trouble. A first information report (FIR) for alleged cheating under the IT Act had been registered against Alibaba for hosting a fraudulent website and when it did not respond to the data demands of the police team investigating in the matter, its bank account was frozen.43
For these companies, the only resolution is the data protection law, which provides them with relief in cases of unlawful demands by the authorities. In India, the data protection law has already been half a decade in the making but of no avail. Back in 2017, India was all set to introduce data protection laws and in July 2017, a panel was constituted under Justice BN Srikrishna (former Supreme Court judge) to frame data protection norms. In August 2017, the Supreme Court of India held a right to privacy as one of the fundamental rights in the case of Justice Puttaswamy v. Union of India.44
Later, in 2018, the Data Protection Bill, 2018 (PDP Bill 2018) was introduced in the parliament which gave the government unencumbered access to citizens’ personal data. This was followed by the Privacy Data Protection (Amendment) Bill, 2019 (PDP Bill 2019), which brought about some key changes in the data privacy regime in India.
However, in August 2022, the Union Minister for Information Technology withdrew the Bill stating that the Ministry will come up with a comprehensive legal framework which will be suitable to the comprehensive legal framework. This is concerning that in a country where the government manages the world’s largest repository of biometric information and uses it to distribute almost US$300 billion worth benefits to its voters,45 there is no data protection law to safeguard them in case of risks and vulnerability.
Currently, data protection and privacy is governed by the Information Technology Act, 2000 (IT Act) and relevant rules framed under the IT Act, that is:
- the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 201146 (SPD Rules);
- the Information Technology (Information Security Practices and Procedures for Protected System) Rules 201847 (Protected System Rules); and
- the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 202148 (Intermediaries Guidelines).
The SPDI Rules protect sensitive personal data of individuals and are applicable to body corporates or persons located within India. The Protected System Rules provide details of infrastructure requirements to be implemented by organisations that have protected systems for highly sensitive data or data collection centres. The Intermediary Rules provide a due diligence framework to be observed by an intermediary while discharging its duties.
Along with these statutes, in cases of crimes in cyberspace, reference from the Indian Penal Code, 1860 is also taken wherein the punishment for defamation, criminal intimidation, cheating, etc., are provided.
Additionally, under the IT Act, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 201349 (CERT Rules) are framed, which establishes that the Indian Computer Emergency Response Team (CERT-In) is a national nodal agency responsible to respond to cyber security incidents. MeitY has also introduced directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for the Safe and Trusted Internet50 wherein organisations’ cyber incidents occurring within their systems or when they notice any such incident have to mandatorily report the same to CERT-In.
The world is witnessing a data revolution right now. It would not be wrong to say that almost every single activity undertaken by an individual involves at least some element of data transaction. With this development, the internet has brought new markets in the world. To quote as an example, Amazon is the world’s largest retailer which has no inventory, Uber is the world’s largest taxi company with no taxi, and Airbnb is the world’s largest accommodation provider that has no real estate of its own.
With users being vulnerable from the data that they share with these platforms, they must be assured that the sharing of data is secure and it is the duty of the government to make sure that their citizens are not vulnerable. However, recurring cyber-threats, data breaches and data leaks have cautioned both the governments and the citizens.
On 19 July 2022, the Ministry of Home Affairs informed the Parliament that there have been 6,74,021 cyber security incidents as of June 2022. On 2 August 2022, the government informed the parliament that between June 2018 and March 2022, Indian banks reported almost 248 data breaches by hackers, most of which were relating to accruing users’ card details along with the theft of business and non-business information.51 An IBM Report stated that data breaches, in India, cost an average of 176 million rupees in 2022, resulting in an increase of cost by 6.6 per cent from last year when the average cost was 165 million rupees.52
Therefore, with increasing threats to security of personal data, it is important that the government does not leave such a critical issue unregulated and formulates legislation to safeguard citizens’ privacy and enforce data security measures taken up by organisations.