Data localisation requirements for telecom and internet service providers: Current law


  1. Background


  1. The Chairman of the Telecom Regulatory Authority of India (“TRAI”) RS Sharma has announced that TRAI will soon release its final recommendations on data privacy and security in the telecom sector.[1] These recommendations will be based on the responses received to the TRAI’s consultation paperon Privacy, Security and Ownership of Data in the Telecom Sector (“Consultation Paper”).
  2. The Consultation Paper indicates that TRAI is considering bringing service providers offering services that are “comparable” to Telecom Service Providers (“TSPs”) under its fold, by making them subject to the same data protection rules as telecommunications companies.[2]
  3. In this context, it becomes important to understand the data protection norms for stakeholders under the present regulatory landscape. This note identifies the data protection requirements that the TRAI currently imposes on TSPs and Internet Service Providers (“ISPs”), with a specific focus on data localization.


S.No. Law /License Telecom Service Providers Internet Service Providers
1. Unified License Agreement (“ULA”) issued by the Department of Telecommunications (“DoT”) 1. General data protection requirements:

1.1 TSPs are governed by Part I of the ULA.

1.2 TSPs shall have the responsibility to ensure protection of privacy of communication and ensure that unauthorized interception of messages does not take place (Clause 37.1, ULA).

1.3 TSPs are obliged to maintain all commercial records, call detail records, exchange detail records and, Internet Protocol (“IP”) detail records of communications exchanged on the network (Clause 39.20, ULA).

1.4 These details are to be archived for at least one year for scrutiny by the DoT for security reasons (Clause 39.20, ULA).


2. Data localisation requirements:

2.1 Under Clause 39.23(viii) of the ULA, TSPs cannot transfer to any person or place outside India:

2.1.1 Any accounting information relating to a subscriber (except for international roaming/billing) (Note: this does not restrict a statutorily required disclosure of a financial nature) and,

2.1.2User information (except information pertaining to foreign subscribers using an Indian Operator’s network while roaming).

1. ISPs are governed by both Part I and Part II (Chapter IX) and of the ULA.


2. Part II of the ULA does not impose any additional data localisation requirements on ISPs.


3. Thus, ISPs are subject to the same data localisation requirements as TSPs.


2. Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”) 1. TSPs are subject to the IT Act as it governs the provision of services under the ULA (Clause 16.3, ULA).


2. While there is no data localization requirement under the IT Act per se, there are conditions for the cross-border flow of data.


3. TSPs can only transfer sensitive personal data or information to a third party (whether in India or overseas) if the following conditions have been satisfied:

3.1 The third party ensures the same level of data protection as that provided under the IT Rules; and

3.2 The transfer is pursuant to and necessary for the performance of an existing contract with the data subject; or

3.3 The transfer is with the consent of the person providing the information. (Rule 7, IT Rules)


4. To this extent, the cross-border flow of information is restricted for TSPs.

1. Since ISPs are governed by the same terms and conditions as TSPs under the ULA, they are also subject to the IT Act under Clause 16.3 of the ULA.


2. Thus, ISPs are subject to same restrictions on the cross-border flow of data as TSPs.




[This post is authored by Tuhina Joshi, Associate, TRA].



[2] Refer Question 10, Chapter V, TRAI Consultation Paper on Privacy, Security, and Ownership of the Data in the Telecom Sector, 09 August 2017.


the status quo

Bringing what's next...