Eighteen months after Parliament passed the Telecommunications Act 2023, the Department of Telecommunications (DoT) is quietly operationalising two sets of rules that together amount to one of the most significant expansions of state surveillance authority in India in a generation. The Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules 2024 and the Telecommunications (Telecom Cyber Security) Rules 2024 — notified in late 2024 and progressively enforced through 2025 and into 2026 — recreate the executive-controlled interception architecture of the colonial-era Indian Telegraph Act 1885, with broader scope and weaker safeguards. Through 2025-2026, the Internet Freedom Foundation (IFF) and SFLC.in have flagged the absence of independent judicial oversight, the elastic grounds for interception, and the emergence of a parallel surveillance regime that runs alongside the existing Information Technology Act framework.
For a country that aspires to host the next billion internet users, lead in AI development, and become a trusted destination for cross-border data flows, this is precisely the wrong signal to send.
What the rules actually do
The Lawful Interception Rules empower a Union Home Secretary or state-level equivalent to authorise interception of any message transmitted through a telecommunications network on grounds that include national security, sovereignty and integrity, the security of the State, friendly relations with foreign States, public order, and preventing incitement to the commission of any cognisable offence. Telecom service providers (TSPs) must comply within hours, retain interception records, and route requests through designated nodal officers.
The Telecom Cyber Security Rules go further. They require TSPs to share traffic data — not just metadata about specific suspects but bulk traffic information — with the Central Government on demand, mandate reporting of broadly defined “telecom cyber security incidents” within six hours, and authorise the government to direct messaging services and TSPs to suspend service in identified geographies. The definition of “telecommunication” in the parent Act is wide enough to potentially capture OTT communications services, even though the government has so far publicly disavowed that reading.
The missing safeguard: judicial pre-authorisation
The Supreme Court of India laid down the framework for lawful interception in People’s Union for Civil Liberties v Union of India (1996), creating a procedural shell that depended on a Review Committee of senior bureaucrats to check executive interception orders after the fact. Even at the time, this was a thin substitute for prior judicial scrutiny. After the nine-judge bench in K.S. Puttaswamy v Union of India (2017) recognised informational privacy as a fundamental right and articulated proportionality as the constitutional test, that thin shell looked thinner still.
The 2024 Rules do not fix this. The Review Committee mechanism is reproduced almost verbatim from the Telegraph Rules. There is no requirement that an independent judicial officer assess the necessity and proportionality of an interception order before it takes effect, no statutory notification of subjects after surveillance ends, and no mandatory destruction timeline that an external auditor can verify. As IFF has argued in its public submissions, this falls short of the proportionality benchmark Puttaswamy demands.
Why this matters for the digital economy
Surveillance regimes are not just civil-liberties issues. They are industrial-policy issues. India is simultaneously courting hyperscaler data-centre investment, negotiating data adequacy conversations with the EU, and positioning itself as a trusted alternative for global supply chains in cloud, semiconductors and AI. Each of these depends on counterparties believing that data placed under Indian jurisdiction will be treated lawfully and proportionately.
- Cross-border data flows: EU adequacy assessments under the GDPR explicitly examine government access to data. Broad executive interception powers without judicial pre-authorisation have historically been a sticking point — as the Schrems II ruling against the US framework demonstrated.
- Investor confidence: Founders building privacy-sensitive products in fintech, health-tech, and AI are watching whether India’s rules look more like a GDPR-plus-judicial-warrant model or the older state-security model.
- Network security itself: Mandating bulk traffic-data sharing and creating large pools of intercepted communications creates honeypots that are themselves national-security risks if compromised.
A pro-innovation path forward
None of this means India should not have a modern interception framework. Law enforcement needs lawful access tools, and a statute from 1885 was overdue for replacement. The question is how to design the new regime well.
A proportionate framework would include three things the 2024 Rules currently lack. First, prior judicial authorisation — ideally by a designated bench of the High Court — for any interception that is not an immediate emergency, with retrospective judicial confirmation within 48 hours for emergencies. Second, statutory transparency reporting: aggregate numbers of interception orders, by ground and by agency, published annually, as the UK Investigatory Powers Commissioner does. Third, a narrowed, defined list of cyber-security incidents with proportional reporting timelines, distinguishing genuine network compromises from routine operational events.
The Digital Personal Data Protection Act 2023 already exempts government processing for security purposes — and that exemption only retains public legitimacy if the surveillance regime it shields meets constitutional standards. Bolting an expansive executive interception architecture onto a statute the government has marketed as a modernisation reform is a missed opportunity. The DoT should re-open consultations on both Rules with a clear mandate: bring the framework in line with Puttaswamy, or expect the Supreme Court to do it for them.