Rajarshi Chakrabarti, Senior Resident Partner, Kochhar & Co.

The statistics speak for themselves. As of 2025, India is the second largest telecom market in the world. With teledensity at over 86 per cent, gross revenue at approximately $44 billion in FY 2025, foreign direct investment (FDI) at over $40 billion during April-June 2025, and 5G subscriptions expected to cross 1 billion by 2031, the telecom story of India is nothing short of spectacular. The growth over the last two decades has been fuelled by a combination of factors, including supportive policy making, consumer demand, FDI inflow and growth of the innovation ecosystem. The sector has evolved far beyond mere voice telephony; it serves as the foundational infrastructure for India’s sovereign digital ambitions, underpinning everything from Unified Payments Interface-based payment systems and e-governance to sophisticated cloud architectures. Furthermore, the integration of artificial intelligence (AI) into network management and autonomous decision-making has transformed telecom into a high-stakes arena for both economic growth and national security.

With the enactment of the Telecommunications Act, 2023 (the Act), the regulatory framework finally made a break from the colonial-era Indian Telegraph Act of 1885 and the Indian Wireless Telegraphy Act of 1933 — statutes increasingly incompatible with the realities of 5G, satellite communication and data-centric ecosystems. The guiding principles behind the Act (inclusion, security, growth and responsiveness) seek to ease the compliance burden, increase operational efficiency and promote investment while ensuring business continuity.

In the context of change in the telecom regulatory framework, it would be instructive to recall Justice Antonin Scalia’s comment on the then-introduced law in the US. The judge had pithily remarked, “It would be a gross understatement to say that the Telecommunications Act of 1996 is not a model of clarity. It is in many important respects a model of ambiguity or indeed even self-contradiction.” Any transition from legacy statutes to a modern regulatory framework would typically entail uncertainties and pain points, and it would be safe to state that this Act has its fair share of those attributes. Interpretational ambiguities, potential administrative conflicts and overlapping oversight mechanisms and other possible challenges for seamless implementation have worried critics.

This article discusses key intersectional issues as the new regulatory regime takes shape…

Interplay with the DPDP Act

The operationalisation of the Digital Personal Data Protection [DPDP] Act, 2023 presents potential areas of sectoral conflict and compliance hurdles for telecom companies. This is particularly relevant for data retention, consent requirements, interception powers and grievance handling, despite Section 38(2) of the DPDP Act granting it overriding effect in direct clashes. These tensions arise because the Act focuses on national security, infrastructure and service continuity, while the DPDP Act prioritises individual privacy rights and data minimisation, forcing operators into a balancing act between compliance mandates.

Data retention requirements under the Act and the Telecom Regulatory Authority of India (TRAI) guidelines may pose conflicts with the DPDP Act’s right to erasure (or “right to be forgotten”), which allows users to demand deletion of their personal data once the purpose is fulfilled. Telecom firms may accordingly be compelled to deny such requests by invoking “legitimate uses” under DPDP Act exemptions, meticulously documenting the reasons for refusal to avoid penalties, adding administrative burdens and litigation risks.

The DPDP Act mandates granular, specific, informed and withdrawable consent for every instance of personal data processing, including sensitive details such as location tracking and usage patterns, which are core to telecom operations. In contrast, the Act empowers the government to direct data processing for cybersecurity (for example, under Section 22 for traffic data analysis), bypassing individual consent. TRAI’s existing “Do Not Disturb” and spam regulations further complicate this by imposing separate consent layers for commercial communications, leading to potential dual verification processes and user confusion.

Sections 20 and 21 of the Act grant broad government authority for interception, monitoring and decryption of communications on grounds such as national security, public order, or emergencies, often without judicial oversight or proportionality limits. This clashes with the DPDP Act’s principles of data minimisation, purpose limitation and privacy-by-design, as bulk interception could involve mass data collection that users never consented to.

Big brother at work

While the Act has heralded much-needed reforms in the telecom sector, it has also led to significant concerns in relation to surveillance and monitoring by the government. Sweeping powers of interception, monitoring, collection and analysis of traffic data, including the power to effect shutdowns, have been repeatedly flagged as overbearing and encroaching upon the rights to privacy, freedom of communication and encryption safeguards. More pertinently, the regulatory standards may be construed as vesting the executive with vague, arbitrary, non-transparent powers that may be exercised with impunity. Such a scenario would, no doubt, run contrary to the principles laid down by the Supreme Court in the Puttaswamy case, upholding the right to privacy as a fundamental right, and the Anuradha Bhasin case dealing with the suspension of internet services in the context of the right to freedom of speech. It is, therefore, imperative that the government maintains the delicate balance between national interest and individual rights. Unlike jurisdictions such as the European Union, under Indian law, the oversight mechanism is vested with the executive rather than with an independent/neutral authority. This may potentially cause deviation from acceptable standards of proportionality and reasonableness.

AI readiness and the 2023 act

The Act adopts a “technology-neutral” stance, an approach supported by judicial precedents emphasising the need for flexible regulation in rapidly evolving technological environments. The said stance, however, does not address AI’s increasing integration in telecom services and associated risks. Such risks may go beyond cyber and data security breaches and stem from AI-specific incidents including algorithmic bias, lack of transparency and unpredictable system issues. The current framework remains notably silent inter alia on accountability for autonomous decision-making affecting service quality and transparency obligations for AI systems within critical infrastructure. In the absence of a structured reporting (and remedial) mechanism, AI-specific incidents/failures may go unrecorded, thereby introducing gaps and vulnerabilities. The said scenario also impedes industry’s learning from past incidents, thereby impacting improvement in AI design and its integration with telecom systems.

Since India lacks any AI-specific law and, recognising the importance of the cutting-edge technology in the telecom sector, policymakers may view AI-related incidents as a distinct risk category and specify remedial measures, normative standards, etc.

Conclusion

The Act is a positive move, essential for sustaining growth in India’s telecom sector and its role in the economy. India’s challenge, however, is not merely to achieve sectoral growth but to govern the telecommunications sector as a whole in a manner that is coherent, rights-respecting and globally aligned. The Act is a strong beginning, but it must evolve through careful implementation and regulatory coordination.