Media Nama: Delhi: Friday, 5 September 2025.
The Department of
Telecommunications (DoT) has refused to disclose the comments it received on
the draft amendment to the Telecommunication Cybersecurity Rules, 2024. In
response to a MediaNama RTI seeking these comments, the DoT cited the exemption
to disclose this information under Section 8(g) and Section 8(h) of the RTI
Act.
Section 8(g) exempts the government from disclosing information that would “endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes”. Meanwhile, Section 8(h) exempts the government from sharing information that would impede the process of investigation/ apprehension/ prosecution of offenders.
“On a very literal reading of these two RTI sections, it does not seem like that they are applicable in this situation. In any case, comments which the government gets in response to a call for comments, and are informing the policy decision of the government should not be held in a confidential capacity anyway,” Maansi Verma, the Founder of the civic engagement initiative Maadhyam told MediaNama.
She argued that if the government is worried about the privacy of individual respondents, it can redact the names of said individuals. “But if organisations and corporates are submitting comments, their names would not be covered under personal data protection requirements,” she explained.
What does the draft amendment say?
The draft amendment to the cybersecurity rules seeks to bring entities other than licensed telecom companies under the scope of telecom regulation through the introduction of a new entity category Telecommunication Identifier User Entity (TIUE).
Under this draft amendment, TIUEs have to use a government-operated Mobile Number Validation (MNV) platform to check the mobile numbers they use to provide users with access to their services.
They also have to comply with a range of cybersecurity requirements, such as blocking certain identifiers from accessing their services based on government instructions, or reporting and submitting data about the telecom identifiers to the government.
The concerning part about these rules is that the TIUE classification can include just about any business from a messaging platform like WhatsApp to an e-commerce platform like Amazon, or even a local store that sends receipts and discounts over WhatsApp.
Lack of clarity around reason for RTI rejection:
The DoT’s rationale for rejecting the RTI request raises questions because when MediaNama had filed an RTI seeking the comments the DoT received about the original draft of the rules, the government shared them (albeit almost a year later).
Even if one were to argue that comments pertaining to a cybersecurity consultation could have information that identifies a source or assistance given in confidence for law enforcement or security purposes, the same should have been applicable to the comments on the 2024 rules as well.
Verma told MediaNama that typically, if government departments or committees want to restrict access to comments from a consultation, they outrightly mention that.
“You may have seen that whenever a standing committee invites comments, they mention that they will hold these comments in a fiduciary capacity or will keep them confidential. Usually, they make these comments public only when they submit their reports,” she explained.
Verma added that different government departments/statutory bodies have different policies about revealing consultation comments. While some, like the Telecom Regulatory Authority of India (TRAI), disclose comments during consultations, others keep them confidential till they publish the final rules.
“That could be one of the reasons why they made comments to the earlier telecom cybersecurity rules available only after the rules were finalised,” she mentioned.
Verma further pointed out that if one were to challenge the RTI response, the government could argue that the Digital Personal Data Protection Act (DPDPA, 2023) has changed the legislative intent of the RTI Act.
For context, the yet-to-be-operationalised DPDPA amends the RTI Act, allowing the government to decline any RTI request relating to information about a person.
What about the pre-consultation legislative policy?
The RTI rejection, as is the case with any other tech policy RTIs, is indicative of a worrying trend where the rationale behind policy decisions remains behind closed doors.
The government has previously refused to share submissions around crucial tech policy regulations such as the then-draft data protection bill, and the Online Gaming Policy.
Notably, under the Pre-Legislation Consultation Policy, every Department/Ministry must proactively publish proposed legislation both on the internet and through other means.
This includes both draft legislations (like the Telecommunication Bill, 2022) and draft rules they may release under said legislation (like all the draft rules under the Telecom Act, 2023, and their amendments).Further, the policy mentions that the government must place the summary of feedback/comments it receives on the draft legislation on its website.
Verma had mentioned in a previous conversation about the government’s refusal to disclose comments to the Broadcast bill that this policy was not mandatory. She explained that because of the directory nature of the policy, one cannot compel the government to disclose comments/summary of comments.
Why it matters:
Comments and submissions give a sense of how stakeholders across different sectors are thinking about a specific rule/regulation. The draft telecommunication cybersecurity amendment rules have left a lot of questions unanswered, making it unclear how the validation process will occur, how the government will prevent misuse, and address privacy issues. Civil society experts argue that the draft amendment has no penalty provisions to prevent a company that misuses information accessed via the platform from repeating the same actions again.
On the business side, during MediaNama’s discussion about the draft amendment, speakers mentioned that the cost for using the government’s validation service (either Rs 1.5 or Rs 3) is much higher than the current SMS-based OTP validation: which costs between 12 paise (p) to 15p.
Besides costs, stakeholders also raised concerns about commercial privacy, wherein the validation platform could end up disclosing a company’s entire customer base to a telecom company during the validation process.
In this case, the vast applicability of the draft amendment makes these comments even more important to gauge any measures stakeholders may have suggested to rectify the various privacy and operational issues in the rules.
Without these inputs, one may never know whether the government is actually factoring in stakeholder feedback into its decision-making process.
Section 8(g) exempts the government from disclosing information that would “endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes”. Meanwhile, Section 8(h) exempts the government from sharing information that would impede the process of investigation/ apprehension/ prosecution of offenders.
“On a very literal reading of these two RTI sections, it does not seem like that they are applicable in this situation. In any case, comments which the government gets in response to a call for comments, and are informing the policy decision of the government should not be held in a confidential capacity anyway,” Maansi Verma, the Founder of the civic engagement initiative Maadhyam told MediaNama.
She argued that if the government is worried about the privacy of individual respondents, it can redact the names of said individuals. “But if organisations and corporates are submitting comments, their names would not be covered under personal data protection requirements,” she explained.
What does the draft amendment say?
The draft amendment to the cybersecurity rules seeks to bring entities other than licensed telecom companies under the scope of telecom regulation through the introduction of a new entity category Telecommunication Identifier User Entity (TIUE).
Under this draft amendment, TIUEs have to use a government-operated Mobile Number Validation (MNV) platform to check the mobile numbers they use to provide users with access to their services.
They also have to comply with a range of cybersecurity requirements, such as blocking certain identifiers from accessing their services based on government instructions, or reporting and submitting data about the telecom identifiers to the government.
The concerning part about these rules is that the TIUE classification can include just about any business from a messaging platform like WhatsApp to an e-commerce platform like Amazon, or even a local store that sends receipts and discounts over WhatsApp.
Lack of clarity around reason for RTI rejection:
The DoT’s rationale for rejecting the RTI request raises questions because when MediaNama had filed an RTI seeking the comments the DoT received about the original draft of the rules, the government shared them (albeit almost a year later).
Even if one were to argue that comments pertaining to a cybersecurity consultation could have information that identifies a source or assistance given in confidence for law enforcement or security purposes, the same should have been applicable to the comments on the 2024 rules as well.
Verma told MediaNama that typically, if government departments or committees want to restrict access to comments from a consultation, they outrightly mention that.
“You may have seen that whenever a standing committee invites comments, they mention that they will hold these comments in a fiduciary capacity or will keep them confidential. Usually, they make these comments public only when they submit their reports,” she explained.
Verma added that different government departments/statutory bodies have different policies about revealing consultation comments. While some, like the Telecom Regulatory Authority of India (TRAI), disclose comments during consultations, others keep them confidential till they publish the final rules.
“That could be one of the reasons why they made comments to the earlier telecom cybersecurity rules available only after the rules were finalised,” she mentioned.
Verma further pointed out that if one were to challenge the RTI response, the government could argue that the Digital Personal Data Protection Act (DPDPA, 2023) has changed the legislative intent of the RTI Act.
For context, the yet-to-be-operationalised DPDPA amends the RTI Act, allowing the government to decline any RTI request relating to information about a person.
What about the pre-consultation legislative policy?
The RTI rejection, as is the case with any other tech policy RTIs, is indicative of a worrying trend where the rationale behind policy decisions remains behind closed doors.
The government has previously refused to share submissions around crucial tech policy regulations such as the then-draft data protection bill, and the Online Gaming Policy.
Notably, under the Pre-Legislation Consultation Policy, every Department/Ministry must proactively publish proposed legislation both on the internet and through other means.
This includes both draft legislations (like the Telecommunication Bill, 2022) and draft rules they may release under said legislation (like all the draft rules under the Telecom Act, 2023, and their amendments).Further, the policy mentions that the government must place the summary of feedback/comments it receives on the draft legislation on its website.
Verma had mentioned in a previous conversation about the government’s refusal to disclose comments to the Broadcast bill that this policy was not mandatory. She explained that because of the directory nature of the policy, one cannot compel the government to disclose comments/summary of comments.
Why it matters:
Comments and submissions give a sense of how stakeholders across different sectors are thinking about a specific rule/regulation. The draft telecommunication cybersecurity amendment rules have left a lot of questions unanswered, making it unclear how the validation process will occur, how the government will prevent misuse, and address privacy issues. Civil society experts argue that the draft amendment has no penalty provisions to prevent a company that misuses information accessed via the platform from repeating the same actions again.
On the business side, during MediaNama’s discussion about the draft amendment, speakers mentioned that the cost for using the government’s validation service (either Rs 1.5 or Rs 3) is much higher than the current SMS-based OTP validation: which costs between 12 paise (p) to 15p.
Besides costs, stakeholders also raised concerns about commercial privacy, wherein the validation platform could end up disclosing a company’s entire customer base to a telecom company during the validation process.
In this case, the vast applicability of the draft amendment makes these comments even more important to gauge any measures stakeholders may have suggested to rectify the various privacy and operational issues in the rules.
Without these inputs, one may never know whether the government is actually factoring in stakeholder feedback into its decision-making process.
.JPG)
.JPG)
