Telecom Sector — DPDPA Compliance

DPDPA for Telecom, ISPs & Communication Services

Q: How does DPDPA apply to telecom operators in India?

DPDPA applies to all telecom operators (TSPs) processing digital personal data of subscribers in India. This includes subscriber registration data (Aadhaar-linked), call detail records (CDRs), location data, browsing data (for ISPs), billing data, and device information. TSPs must comply with DPDPA alongside TRAI regulations, DoT licence conditions, and the Telecom Act 2023 provisions on data protection. The key challenge is reconciling DPDPA's consent requirements with statutory obligations for lawful interception and CDR retention.

Q: What is the relationship between TRAI regulations and DPDPA?

TRAI has its own subscriber data protection requirements under the Telecom Subscribers' Charter and various regulations on unsolicited commercial communication (UCC). DPDPA creates a parallel framework that applies to all digital personal data processing by TSPs. Areas of overlap include consent for marketing (TRAI DND + DPDPA Section 6), subscriber data sharing with third parties, and grievance redressal. TSPs must build compliance that satisfies both TRAI and DPDPA requirements simultaneously.

Q: How does DPDPA handle CDR and location data?

CDRs and location data are personal data under DPDPA when they relate to identifiable subscribers. TSPs process CDRs for billing (deemed consent under Section 7 for contractual obligations), but retention beyond billing purposes requires separate lawful basis. Location data processing for value-added services requires explicit consent under Section 6. Law enforcement access to CDRs falls under Section 17(2) exemptions, but TSPs must still maintain processing records and ensure requests comply with applicable procedural safeguards.

Telecom operators process personal data at a scale matched by no other sector — every call, every message, every location ping. DPDPA layers on top of TRAI regulations, DoT licence conditions, and the Telecom Act 2023.

TRAI + DPDPACDR GovernanceLocation Data5G / IoTTelecom Act 2023

A single telecom operator in India processes personal data of hundreds of millions of subscribers — subscriber identity, location, communication patterns, browsing behaviour. Every major TSP will likely be classified as a Significant Data Fiduciary under Section 10, triggering the highest tier of DPDPA obligations.

Sub-Sector Analysis

DPDPA Challenges by Telecom Sub-Sector

Telecom Service Providers (TSPs)

Licensed operators — mobile, fixed-line, broadband

›Subscriber registration data (Aadhaar-linked KYC) — statutory retention vs DPDPA purpose limitation
›Call Detail Records (CDRs) — billing purpose vs law enforcement retention vs analytics use
›Location data from cell towers — continuous processing of movement patterns
›Unsolicited commercial communication (UCC) — TRAI DND registry + DPDPA consent alignment
›Subscriber data sharing with content partners, VAS providers, and advertising networks
›SDF classification likely for all major TSPs given subscriber base of millions

Internet Service Providers (ISPs)

Broadband, fibre, enterprise connectivity

›Browsing data and DNS query logs — personal data classification and retention limits
›Deep packet inspection (DPI) for network management vs privacy implications
›Enterprise customer data — B2B processing where employees are data principals
›IP address and device fingerprint data governance
›Content filtering obligations vs data minimisation under DPDPA

Tower Companies & Infrastructure Providers

Passive infrastructure with data exposure

›Site acquisition data — landowner personal data processing and retention
›Energy and maintenance contractor data — processor relationships
›Shared infrastructure — multiple TSP data flows through single tower infrastructure
›Smart tower IoT sensors generating location-adjacent data
›Employee and field technician data governance

OTT Communication Platforms

WhatsApp, Signal, Zoom, Teams — operating in India

›Metadata processing — who communicated with whom, when, duration, frequency
›End-to-end encryption and lawful interception obligations under Telecom Act 2023
›Cross-border data transfers for global platforms — Section 16 compliance
›Group communication data — consent from all participants vs group admin consent
›Business messaging and API data processing — B2B vs B2C classification

5G & IoT Ecosystem

Connected devices, smart cities, industrial IoT

›Machine-to-machine (M2M) data — when does IoT data become personal data under DPDPA?
›Connected vehicle data — location, driving patterns, occupant data processing
›Smart city sensor data — surveillance vs public service delivery
›Industrial IoT in factories — employee monitoring through connected equipment
›Edge computing and data localisation — where does processing happen?

5 DPDPA Compliance Pillars for Telecom

Subscriber Consent Architecture

Telecom consent spans service activation, VAS, marketing, analytics, and data sharing. Build layered consent that separates statutory processing (KYC, lawful interception) from commercial processing (targeted advertising, partner data sharing).

Section 6, Section 7

CDR & Location Data Governance

CDRs and location data are the backbone of telecom compliance risk. Define retention periods for each purpose — billing, fraud detection, law enforcement, analytics — and implement automated purging when purpose expires.

Section 8(7), Section 17(2)

TRAI–DPDPA Harmonisation

Map every TRAI regulation against DPDPA requirements — DND registry vs Section 6 consent, subscriber data protection vs DPDPA rights, TRAI complaint mechanism vs DPDPA grievance redressal.

TRAI Act, Section 6, Section 13

Cross-Border Data Architecture

Global platforms, international roaming, submarine cable data — telecom has complex cross-border data flows. Map every transfer against Section 16 and DoT licence conditions on data sovereignty.

Section 16, DoT Licence

SDF Compliance Programme

Every major TSP will be an SDF. Build DPO appointment, DPIA framework, periodic audit mechanism, and algorithmic assessment for automated subscriber profiling and credit scoring.

Section 10, Rule 14

Related DPDPA Resources

Compliance Checklist

8-phase implementation guide

Significant Data Fiduciary

Section 10 SDF obligations

Cross-Border Transfers

Section 16 + sectoral overlay

Data Breach Response

Multi-authority notification

Consent Management

Section 6 consent framework

DPDPA vs GDPR

15-dimension comparison

Enterprise Governance

Board-level framework

DPDPA Consulting

Counsel-led advisory services

Telecom-Specific DPDPA Advisory

Telecom compliance operates at population scale. AMLEGALS brings 27 years of telecom regulatory experience to DPDPA implementation — from subscriber data governance and CDR compliance to 5G data architecture and TRAI harmonisation.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Insights & Answers

What practitioners and boards are asking

How does DPDPA apply to telecom operators in India?

DPDPA applies to all telecom operators processing subscriber data in India. including registration data, call detail records, location data, and browsing data. TSPs must comply with DPDPA alongside TRAI regulations and DoT licence conditions. Every major TSP will likely be classified as a Significant Data Fiduciary under Section 10 given their subscriber base. CDRs and location data are personal data under DPDPA. billing processing may qualify for deemed consent under Section 7, but analytics and advertising require explicit consent under Section 6. AMLEGALS advises telecom entities on TRAI DPDPA harmonisation, CDR governance, and 5G/IoT data architecture.