According to the telecom operators in India, classified as significant data fiduciaries (SDFs) under the Digital Personal Data Protection (DPDP) Rules 2025, many of their concerns and requests for greater clarity raised during public consultations remain unaddressed in the final rules notified by the Ministry of Electronics and Information Technology (MeitY).
Unresolved areas include parameters for the security-compliance framework, the age-verification process for minors, data protection impact assessment (DPIA) obligations for SDFs, operational aspects of multilingual consent, and the need for harmonisation with existing sectoral regulations.
The Cellular Operators Association of India (COAI), said that unlike other sectors, telecom providers already operate mature networks with established system-security controls. It noted that these controls significantly minimise risks of data exfiltration or unauthorised access, and therefore, safeguards should be assessed in a layered and risk-based manner for the telecom sector.
Further, COAI recommended a practical exemption from establishing verifiable consent for minors aged 16-18 years during SIM acquisition, stating that the requirement poses operational challenges and does not reflect India’s diverse household structures or the level of digital autonomy promoted under various government initiatives.
The DPDP rules prohibit directors and key personnel of data fiduciaries from associating with Consent Managers. COAI said this provision is overly stringent, noting that several established organisations in technology, financial, and telecom services possess the expertise required to run responsible consent-management systems.
Meanwhile, the telecom industry also raised concerns about overlapping security-breach reporting requirements under the Information Technology (IT) Act, Indian Computer Emergency Response Team (CERT-In) directions, and Department of Telecommunications (DoT) guidelines. The association recommended the creation of harmonised timelines to avoid duplication.
COAI also suggested that CERT-In and the Data Protection Board established under the DPDP Rules adopt a unified breach-reporting timeline with a single trigger, a common reporting window, and a standardised incident-notification format applicable across all digital and telecom entities.
