Explaining India's Proposed Cybersecurity Rules for Telecom in 2025: Their Implications for Everyone
The Indian government has stirred up a debate with the recent upload of the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, proposing a broad expansion of the government's powers over telecom operators and digital platforms. The draft rules, which were released on June 24, 2025, and are open for public comment until July 24, 2025, have been met with criticism from various quarters, particularly the Internet Freedom Foundation (IFF), which has raised concerns about privacy, surveillance, and regulatory overreach.
The rules grant the government extensive powers to collect user metadata, intercept communications, and disconnect SIM cards or devices on vague grounds such as "public interest." These powers, according to the IFF, lack clear procedural safeguards or an independent oversight mechanism, raising concerns about unchecked surveillance and abuse of power. The review mechanism is limited to government officials assessing their own decisions, which could potentially lead to a lack of transparency and accountability.
One of the key objections of the IFF is the overbroad definition of Telecommunication Identifier User Entities (TIUEs), which potentially includes any digital platform using telecom identifiers to identify users or deliver services. This would extend telecom-style regulations beyond licensed operators to Over-The-Top (OTT) platforms, e-commerce, and other digital services, contradicting earlier assurances that OTT platforms would be excluded from such regulation.
Another concern raised by the IFF is the lack of user notification or remedy mechanisms. Users subject to surveillance or disconnection orders would not be informed, and so would lack opportunities for judicial remedy or to challenge decisions impacting their rights. This, according to the IFF, threatens individuals' fundamental rights to privacy and free speech.
In response, the IFF has recommended restricting the rules' scope to only licensed telecom operators, introducing independent, judicial oversight for surveillance and disconnection orders, guaranteeing user notifications and written orders, and proposing alternative language for the draft rules to better protect privacy and civil liberties.
The proposed rules also include a new tool called MNV Platform (Mobile Number Validation), which will make mobile number validation mandatory in some cases and optional (but paid) in others. The rules also include IMEI Tracking and second-hand device checks, requiring equipment manufacturers to maintain a central IMEI database and for users or sellers to check the database before buying a used phone.
The duo from Khaitan & Co, a heavyweight law firm, acknowledges the draft amendment's technical merit but raises concerns about compliance and constitutional caveats. They argue that extending cybersecurity compliance to TIUEs is a logical evolution, but raise concerns about the burden on smaller businesses and the lack of clear procedural safeguards.
As public comments close on July 24, it remains to be seen whether the government will water down the powers, tighten the definitions, or create avenues for appeal. The outcome of this debate could significantly impact the digital freedom and privacy rights of Indian citizens.
The Indian government's proposed Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, have raised concerns regarding the involvement of technology companies in finance matters, as the rules may require digital platforms to comply with telecom-style regulations.
The Internet Freedom Foundation (IFF) has suggested that the government should introduce independent, judicial oversight for surveillance and disconnection orders, which could potentially impact the privacy and financial transactions of users on digital platforms.
