Telecom operators raise concerns over India's new data protection rules
28 Nov 2025

India's telecom operators have expressed concerns over the country's newly notified digital data protection rules.

The Cellular Operators Association of India (COAI) has flagged issues such as children's data, consent management, breach reporting, and legislative overlap.

These concerns were raised during earlier consultations but remain unaddressed in the current framework.

The industry body argues that these compliance requirements are still unclear and could conflict with existing sectoral regulations.

COAI proposes changes to consent management rules
Proposal

COAI has proposed changes to the rules governing consent managers, calling them "overly stringent."

The association particularly objects to provisions that bar directors and key personnel from having any association with data fiduciaries.

It argues that many tech, financial, and telecom companies have the expertise to operate responsible consent-management systems.

The industry body also suggested a single interoperable consent-management layer for telecom operators or exemption from using external consent managers where robust in-house systems are present.

Concerns over parental consent for minors
Parental consent

On the issue of children's data, COAI has flagged the difficulty of obtaining verifiable parental consent for users under 18.

The association reiterated its demand for a practical exemption for minors aged between 16 and 18 years from SIM acquisition.

This is in view of the unique family structures in India that make it difficult to get such consents.

COAI calls for harmonized breach-notification model
Breach reporting

COAI has also flagged overlapping breach-reporting obligations under the IT Act, CERT-In directions, Department of Telecommunications (DoT) guidelines, and the DPDP framework.

The association has suggested a harmonized breach-notification model across regulators to simplify compliance.

This recommendation is in line with recent NITI Aayog panel suggestions aimed at improving ease of doing business in India.

Acceptance of global data protection impact assessments
Global standards

COAI has also sought acceptance of Data Protection Impact Assessments recognized under global frameworks such as the GDPR by Indian authorities.

The group has emphasized that telecom service providers already have mature network and system security controls in place.

It has suggested that compliance requirements should be assessed in a layered, risk-based manner rather than through prescriptive tools like encryption or masking alone.