The Cellular Operators Association of India (COAI), representing major telecom operators like Reliance Jio, Bharti Airtel, and Vodafone Idea, has urged the government to review and harmonize sector-specific regulations with the new Digital Personal Data Protection (DPDP) framework. The industry body seeks clear interpretative guidance to minimize ambiguity, avoid duplication of compliance processes, and facilitate a smooth transition for all stakeholders.
The COAI emphasized that a review aligning specific laws (like telecom regulations) with the general DPDP Act is essential, adhering to the well-established legal principle that specific laws prevail over general laws.
The industry body highlighted several areas where additional clarity and practical considerations are required under the DPDP Rules, which were notified on November 14 and will become fully operational after 18 months:
- SIM Acquisition for Minors: The COAI has sought a practical exemption for minors aged 16-18 years for SIM acquisition under DPDP Rules. They argue that establishing verifiable consent for users below 18 presents practical challenges and does not adequately reflect India’s diverse household structures.
- Data Breach Notification: Concerned about mandatory, non-proportionate notification requirements for data breaches, COAI suggested adopting a proportionate reporting model, similar to those followed in Japan and several EU jurisdictions.
- Unified Reporting: Given the multiplicity of incident-reporting obligations under the IT Act, CERT-In directions, and DoT guidelines, COAI proposed that CERT-In and the Data Protection Board adopt a unified breach-reporting timeline, with a single trigger and harmonized procedures to avoid unnecessary duplication.
The COAI also proposed reforms regarding the Data Protection Impact Assessment (DPIA) requirements, which currently mandate Significant Data Fiduciaries (SDFs) to undertake an audit once every 12 months to ensure compliance with the DPDP Act.
- COAI suggested that the DPIA requirements should be risk-based rather than strictly annual and prescriptive.
The DPDP Rules aim to give citizens control over their data, allow them to check for misuse, and protect their privacy in the online space. However, telcos are seeking practical clarifications to ensure cohesive compliance across India’s complex regulatory regimes.
Key Highlights:
- The Cellular Operators Association of India (COAI) has requested the government to harmonize sector-specific telecom regulations with the new DPDP (Digital Personal Data Protection) framework to reduce ambiguity and avoid duplication of compliance processes.
- The industry body sought a practical exemption for minors aged 16-18 years for SIM acquisition, citing challenges in establishing verifiable consent for this age group under the new rules.
- COAI proposed adopting a proportionate data breach reporting model (similar to Japan/EU) and suggested that the CERT-In and Data Protection Board should unify incident-reporting timelines across regulatory regimes.
- The organization also recommended that the mandatory Data Protection Impact Assessment (DPIA) for Significant Data Fiduciaries should be risk-based rather than an annual prescriptive audit.