Summary: This article examines the newly enacted Telecommunications Act and delves into the concerns and uncertainties surrounding its provisions.
The Telecommunications Act 2023 (“the Act”) received Presidential assent on 24th December 2023, and has now become law. The Act replaces the Indian Telegraph Act, of 1885, the Indian Wireless Telegraphy Act, of 1933, and the Telegraph Wires (Unlawful Possession) Act, of 1950. The Act is aimed at modernising the telecommunications sector by replacing crude interpretations of ancient laws. The Act is aimed at regularizing licensing, spectrum allocation, and providing a uniform and modern code to aid the expansion and development of the telecommunications sector. However, the Act has been subject to a fair share of criticism and scrutiny regarding its scope of application, and critics argue that it can be used to enable mass surveillance. This article will discuss the apprehensions and haze surrounding the provisions of the Act.
The worry surrounding an overbroad definition
The Telecommunications Act as a sine qua non includes a definition of ‘telecommunication’ in Section 2 (p). The definition has been criticised for being broad and potentially including all forms of digital communication under the sun, including Overthe-Top (OTT) services like WhatsApp and Telegram. The Act under section 20 (2) gives the government the power to intercept and detain messages or suspend services in instances of public emergency, ensuring public safety, sovereignty, and integrity of India.
Section 22 (2) allows the government to collect, store, analyse, and disseminate ‘traffic data’ involved with telecommunications networks. Traffic Data, as defined by the Section, means “any data generated, transmitted, received or stored in telecommunication networks including data relating to the type, routing, duration or time of a telecommunication.” While the procedure for such actions by the government is to be provided for in the rules as and when they are framed, critics argue that the government is undermining personal freedoms and Parliamentary debate by relegating important aspects of the functioning of the Act to delegated legislation.
The Indian Telegraph Act provides for the interception of messages in the interest of India’s sovereignty and integrity, security of the State, public order, or friendly relations with foreign States. This provision was challenged before the Supreme Court in PUCL v. Union of India on the touchstone of Article 19 of the Constitution. The Court laid down guidelines that were consolidated in section 419A of the Indian Telegraph Rules, 1951, and the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017. These two provisions are on the lines of the PUCL judgement and the authority to intercept messages is ideally given by the Secretary to the Government of India in the Ministry of Home Affairs at the Union level, and the Secretary to the State Government in charge of the Home Department at the State level. Hence, the provisions regarding interception of messages are not novel, but may have far-reaching implications due to the broad definition of ‘telecommunications’.
The Interception Issue
India’s system of interception resembles that of the United Kingdom but diverges in material aspects. Unlike the United States and even Australia to an extent, in both India and the UK, the authority to intercept messages comes from the Executive branch of the government. In the UK, interception of communication is governed by the Investigatory Powers Act, 2016 (IPA), and the Interception of Communications Code of Practice.
However, in the UK, the IPA makes provision for the post of an Investigatory Powers Commissioner who makes an annual report to the Prime Minister which is subsequently tabled before the Parliament and is available to the public. In Australia, apart from National security warrants which are issued by the Attorney-General, law enforcement warrants are issued by Judges or members of criminal tribunals.
The issue concerning the wide definition in the Indian Act plagues the UK too. The definition of ‘telecommunication system’ in the IPA is similarly broad, and the UK’s attempts to regulate telecommunications have been consistently contentious, with difficulties in defining emerging technologies to ensure that legislation does not over or under-regulate. The EU has dealt with similar issues by drawing a distinction between Electronic Communications Services (ECS), such as standard voice and text-message services, and Information Society Services (ISS), which include OTT services.
More recently, the UK has witnessed companies that provide messaging applications threaten to exit the country over proposed disclosure, interception, and retention requirements in the form of the Online Safety Bill, which attempts to protect children from harassment and sexual abuse. Technology companies like WhatsApp and Apple market their products on the back of guaranteed user security. Apple’s iMessages and WhatsApp communications are end-to-end encrypted, which ideally means that intercepted messages would be intelligible and hence communication is secure and inaccessible to the companies themselves. The UK government seeks to gain access to these communications and technology companies are being forced to weigh the cost of complying with UK law on one hand and exiting the market on the other. Concerns over propagation of sexual abuse, and national security are not invalid, but the need of the hour is an informed understanding of proportionality, and the scope of interception necessary to achieve this aim. This is especially important in India since interception is authorised by the executive and not a judicial or independent body.
Europe has seen a slew of challenges to data retention and interception regimes. In Big Brother Watch v. United Kingdom, the Grand Chamber of the European Court of Human Rights held that the UK’s bulk interception regime under RIPA, 2000 was in breach of the European Convention on Human Rights. The Court held that the interception regime did not have adequate independent safeguards, and was thus, incompatible with the European Convention on Human Rights (ECHR). This was remedied in 2023. In 2023, the UK Court of Appeal considered a challenge to the IPA’s bulk data retention provisions. The Court found that the Act had sufficient safeguards generally but found for the claimants on a few grounds, namely protection of journalistic material and data from bulk personal datasets. Hence, in the UK, exhaustive clauses on procedural safeguards have passed the muster of the ECHR, and Courts have required high standards of checks and balances for government interception to be held lawful.
In India, such exhaustive provisions are lacking, and the true extent of privacy protection or invasion will be evident only when the relevant rules are framed. Furthermore, the government has recourse to section 69-A of the Information Technology Act, 2000, a provision which has been held to be constitutional by the Supreme Court, and has been used to restrict access to applications (apps) in the past.
In 2020, the government banned hundreds of applications, including the popular app TikTok, and ordered app-stores to remove access to them on the grounds of national security. As shown, there is an undeniable intersection between the Internet and the Telecommunications sector, but the government has tried and tested tools to exercise executive discretion. The broad definition of telecommunications will come into sharper focus as and when either Parliament or the Executive seek to regulate service providers further.
Search and seizure
Section 42 of the 2023 Act is similar to section 7 of the Wireless Telegraphy Act, 1933. It gives authorised officers the power to search any building, vehicle, aircraft, or place in which the officer has reason to believe that any unauthorised telecommunication network or telecommunication equipment, or radio equipment is being concealed.
Under section 165 of the Code of Criminal Procedure, 1973, an officer in charge of a police station or an officer in charge of an investigation may execute a search of a place within their jurisdiction if the officer has reasonable grounds to believe anything necessary for such investigation may be found at such a place. The caveat is that the officer must believe that the object of such a search cannot be obtained without undue delay. In such a manner, the requirement of a search warrant may be avoided.
In State of MP v. Paltan Mallah, the Supreme Court held that an illegal search does not exclude the evidence recovered per se. The evidence that is recovered may be admitted by the Court after assessing whether there is a violation of an express statutory provision or Constitutional freedom and does not cause undue prejudice to the accused. The Courts in India generally tend to favour the inclusion of evidence rather than exclusion on technical grounds. While the power under section 42 of the Act appears to be wide and prone to misuse, it is not unprecedented.
Biometric Information
Section 3 (7) of the 2023 Act provides that authorised entities which provide telecommunication services must identify their users through biometric-based identification. Under section 4 of the Telegraph Act, telecom service providers may identify their users through Aadhaar, Passport, or any other officially valid document or mode of identification as notified. The Supreme Court’s decision in Puttaswamy v. Union of India held that linking Aadhaar with SIM cards was unconstitutional. Pursuant to this judgement, service providers were ordered to accept other documents that act as Proof of Identity and Proof of Address for the Know Your Customer (KYC) process. The Telegraph Act explicitly provided that the subscriber had the ultimate choice amongst the three modes of identity verification. Currently, the Department of Telecommunications has phased out paper KYC and shifted to e-KYC for the issuance of new SIM cards.
In Puttaswamy, the Supreme Court held that mandatory linking of SIM cards with Aadhaar did not meet the test of proportionality. In paragraph 283, the Court explicitly referred to the sensitivity of biometric information and how biometric data can be exploited for commercial gain. The Court held that Aadhaar was not the least intrusive form of identity verification and thus the linkage was struck down as unconstitutional. It may be argued that biometric data can be a legitimate form of verification if adequate safeguards are provided for and the clear link between curbing misuse and fraud related to SIM cards and biometric verification is established. However, the Act does not specify any such safeguards and the provision may be subject to the same outcome as that in Puttaswamy.
The Court in Puttaswamy laid down a three-fold test that legislation must meet to pass the muster under Article 21- (i) legality (ii) the existence of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them. This may be difficult to prove in light of the recent and continuous reports of data breaches and attacks targeting Indian government institutions.
In 2023, it was reported that Aadhaar and Passport details of 815 million Indians was compromised and up for sale. As circumstances stand, the government is caught in a catch-22 situation- if biometric data is indispensable to regulating the telecommunications sector, the government is not in a position to convincingly prove that data that is collected is secure. If these data breaches are to be downplayed, the third limb of the Puttaswamy test is compromised.
Conclusion
This piece has sought to shed light on the controversial aspects of the new Telecommunications Act, and show that some of the provisions of the Act do not raise novel concerns, but simply reproduce existing apprehension. Provisions related to search and seizure, and interception of messages are recurring issues. The concerns regarding mass surveillance turn on the government’s treatment of OTT platforms and other service providers who are not conventionally considered to be standard players in the telecommunications industry.
The extent to which the new Telecommunications Act encroaches on the Right to Privacy will be definitive only after the government frames the rules for collection, interception and storage of data. This would imply that the Act itself becomes a framework for a comprehensive set of Rules. The test of proportionality is still the yardstick by which the Telecom Act will be measured and challenged if need be. The need of the hour is informed and incisive discourse on the specifics of the legislation, and the legitimate interests that vest in interception need to be highlighted and discussed in order to ensure that the people are adequately informed of the crucial balance that is at stake. India can look towards the West and the Global North to pre-empt the pitfalls that plague interception and data regimes.
The Telecommunications Act can find redemption only by redefining the existing telecom regulation regime through the Rules by instituting safeguards, well-reasoned provisions, and a measure of accountability in a historically unaccountable regulatory scheme.
Aditya Panuganti is a second-year student at NLSIU, Bangalore, and an analyst for LAOT.
[Ed Note: This article has been edited by Sohina Pawah and published by Harshitha Adari from the Student Editorial Board.]
[…] Posted byAditya Panuganti […]