Out of Coverage

**Arnav Mathur

Introduction 

Imagine waking up to find that your telecommunication services have been abruptly disconnected, not because of a technical malfunction but because of an ambiguous charge of “endangering telecom cyber security” levied against you. This unsettling scenario is not a figment of dystopian fiction but a tangible possibility under the Telecommunications Act, 2023 (“Act”), and its accompanying Telecommunications (Telecom Cyber Security) Rules, 2024 (“Rules”). Central to the controversy is Rule 5, a provision that grants the Government sweeping power to unilaterally suspend and blacklist individual telecom users based on broadly defined and subjective criteria.

This post argues that Rule 5 is ultra-vires the Act. It exceeds the statutory mandate by imposing punitive measures neither contemplated by Parliament nor supported by clear legislative intent. The post first delineates the scheme of the Rules. Secondly, it explains the ultra-vires doctrine. It then assesses the substantive and consistency issues in Rule 5 and explores its constitutional implications. 

Beyond administrative law, this issue is central to India’s digital policy. As the country balances cybersecurity with innovation, protections for national cyber-infrastructure must not come at the cost of fundamental rights or democratic accountability. Rule 5’s unchecked power disrupts regulatory intent and threatens the Rule of Law.

Scheme of the Rules

The Act modernizes India’s telecom regulation by replacing outdated statutes like the Indian Telegraph Act, 1885. It empowers the Central Government through Section 22(1) read with Section 56(2)(v), to frame rules to “protect and ensure cybersecurity of telecommunication networks and services,” with permissible measures including “collection, analysis, and dissemination of traffic data.”

While most rules contain definitions, and compliance and reporting obligations, Rule 5 grants the Government broad punitive powers over end-users. In substance, it empowers the Government, based on its assessment of facts and submissions, to determine whether “any person” has “endangered telecom cyber security” by any act. If the Government deems any act to amount to such endangerment, it may order temporary, or permanent suspension of that person’s telecommunication services by directing disconnection of the person’s telecom identifier​. Furthermore, authorities may bar access to telecom services through any other identifier, network, or provider, effectively blacklisting the individual from all telecommunication networks​. In urgent cases deemed necessary in the “public interest,” Rule 5(6) allows immediate suspension without prior notice. Any order(s) may also be extended to the other telecommunication equipment or identifiers “linked” to the person.

Additionally, Rule 5 mandates that the Government maintain and share a repository of such individuals for up to three years, and prevents the reassignment of suspended identifiers for at least one year. These punitive measures extend beyond mere network safeguards, as nothing in the Act envisages such draconian action against individual users. This raises the central question: Should Rule 5 be struck down as being ultra-vires the parent act?

The Ultra-Vires Doctrine

The doctrine of ultra-vires is a cornerstone of administrative law, governing the validity of subordinate legislation. Ultra-vires means “beyond powers.” Subordinate legislation must conform to the authority conferred by the parent statute; if it goes beyond what the enabling Act permits (substantive ultra-vires), or contravenes any mandatory procedure of enactment (procedural ultra-vires), the rule is void and has been held so by Indian Courts.

 In Kunj Behari Lal Butail and Ors. v. State of H.P., the Supreme Court (“SC”) struck down a rule that barred the transfer of land subordinate to tea plantations, a category expressly exempted by the HP Ceiling on Land Holdings Act, 1972. The SC held that the Act’s power “for carrying out the purposes of the Act” cannot be used to create new substantive rights or obligations. Similarly, in Global Energy Ltd. v. Central Electricity Regulatory Commission, the SC invalidated clauses in Regulation 6A that imposed vague, punitive criteria for disqualifying trading license applicants under the Electricity Act, 2003. It held that disqualifying provisions must be clear and definite; otherwise, they are ultra-vires.

Recently, the SC in Naresh Chandra Agrawal v. Institute of Chartered Accountants, summarised this doctrine: Indian courts will invalidate subordinate legislation when it 

1. Goes beyond the scope of authority delegated by the Act; or
2. Is inconsistent with the Act’s provisions or objects; or 
3. Violates the Constitution.

The Court emphasised that even a broad rule-making clause that gives the power to make rules “for carrying out the purposes of the Act” does not permit rules that “extend the scope or general operation of the enactment.” The delegated power is “strictly ancillary” to the parent Act​​. Rules can fill in details or provide for implementation but cannot impose new obligations, prohibitions, or rights that the statute did not contemplate​. 

How Is Rule 5 Ultra-Vires Its Parent Act?

The Act delegated power to frame rules for protective “measures” to ensure the cybersecurity of telecom networks. However, Parliament did not authorise the executive to determine whether an individual has “endangered” telecom security and to impose a penalty​ for such endangerment. Rule 5 essentially creates a quasi-judicial mechanism controlled entirely by the Government. The Government, based on its subjective assessment, decides if a person’s conduct warrants denial of telecom services​. 

This is a substantial addition to the law: it fabricates a new quasi-criminal act for restricting citizens’ telecom usage (endangering telecom cybersecurity by any act) and a new penalty (suspension of service and blacklisting). The Act envisions mechanisms that target telecom service providers and the network infrastructure; the executive is not empowered to create individualised punitive frameworks or sanctions against telecom end-users. 

There is an incongruence between Rule 5 and the penalty provisions envisaged in the Act in three ways:

Firstly, Section 28 and the Third Schedule of the Act’s penalty provisions pertain exclusively to protecting users and not breaches under Section 22. In its conscious structuring of penalties, the legislature distinctly omitted service suspension or termination under Section 22. If Parliament contemplated, such penalties would have been enumerated explicitly, as demonstrated by analogous provisions within Section 28. Powers under Rule 5 can also be contrasted with analogous provisions such as Section 69A IT Act, 2000, where the parent statute explicitly authorises blocking internet resources. The Act provides no similar explicit authorisation, indicating a deliberate legislative omission. 

Secondly, Section 21 allows the Government to suspend telecom services only in exceptional cases—such as public emergencies, national security threats, or war—using prescribed procedures with documented reasons. Violations trigger Section 42(4), which may impose up to three years’ imprisonment, fines up to two crore rupees, and permit suspension or termination of services. Thus, Section 21 targets networks only, with individual measures applied only if its provisions are contravened.

Rule 5 sits uneasily with the Act, empowering disconnection of a single user’s service in the name of “telecom cybersecurity,” even absent a classic national security trigger. This creates a parallel pathway to cut-off telecom services without the strict substantive conditions imposed by the Act for network shutdowns. In effect, if the Government deems a person’s device or account a cybersecurity risk (which could be as vague as having a malware-infected phone), Rule 5 is triggered. This is against the Act’s logic, where deprivation of services is justified mainly for public emergencies or national security needs​.

Lastly, the notice requirement is waived when it is “necessary or expedient in the public interest.” However, “public interest” is not among the permissible grounds for restricting fundamental rights under Article 19(2) of the Constitution​ and is not a ground specified in the Act for shutting down communications. 

Rule 5 is introducing sanctions as consequences of vaguely defined triggers that are not contemplated by the parent legislation, thus being ultra-vires. 

How Is Rule 5 Ultra-Vires The Constitution?

Even if Rule 5 had implicit statutory backing, it would still be ultra-vires the Constitution, failing tests of reasonableness and proportionality. 

Citizens have a right to know about government actions, as transparency and accountability are key to a functioning democracy. In State of U.P. v. Raj Narain, it was recognised that this right to receive information is part of the freedom of speech under Article 19(1)(a), which later paved the way for the Right to Information Act, 2005. Recently, in Association for Democratic Reforms & Anr. v. Union of India & Ors., the electoral bond scheme was held unconstitutional for violating the right to information of voters.  Telecom services and internet access are integral to fundamental rights. The Supreme Court, in Anuradha Bhasin v. Union of India, affirmed that online speech and trade fall under Articles 19(1)(a) and 19(1)(g), and any restriction must meet Article 19(2) and the proportionality test. Rule 5 flouts these requirements in three ways:

Firstly, the ground “endangering telecom cyber security” is vague and has been left undefined. Neither the Act nor the Rules clearly define what acts or omissions would amount to “endangering” cybersecurity. This overbreadth and vagueness grant the executive wide latitude to label practically any behaviour as a threat. A  layperson cannot reasonably foresee what conduct might fall foul of Rule 5, which raises a serious Article 14/19 issue of vagueness. Such a standardless sweep invites arbitrary enforcement. Ever since E.P. Royappa v. State of Tamil Nadu, the concept of arbitrariness is formally embedded as a ground for striking down any legislative or executive action being antithetical to Article 14. Further, laws that curb fundamental rights on vague grounds have been struck down; for example, in Shreya Singhal v. Union of India, the SC invalidated a speech restriction for using undefined terms like “grossly offensive.”​ 

Secondly, there is a disproportionate impact on rights. Cutting off an individual’s telecommunication services is a drastic measure that excludes someone from the modern digital society. It is a restriction on the right to communicate, access information, and even seek livelihood (if one’s work depends on connectivity). Rule 5 authorises permanent disconnection and even extends an order to “other connections or equipment” the person may try to use, requiring all other providers to deny service to that person​.  Further, the rules lack clear criteria for choosing temporary versus permanent disconnection, giving the government excessively broad discretion in imposing penalties without defined standards. This is not only violative of Article 14 and 19, but includes a threat to the fundamental right under Article 21 as in Olga Tellis v. Bombay Municipal Corporation, the SC held that the right to life under Article 21 includes the right to livelihood, as no person can live without the means of living. On April 30, 2025, in Pragya Prasun v. Union of India, the SC recognised that Article 21 of the Constitution must be reinterpreted in light of technological realities. Therefore, disconnecting telecommunication services, which in today’s digital age may be essential for work and sustenance, amounts to a violation of Article 21.

This extreme outcome could completely ban an individual from phone and internet services nationwide, a punishment far harsher than many criminal penalties and imposed without trial. Proportionality demands that restrictions on fundamental rights be the least intrusive means necessary. Blanket disconnection, with no requirement to explore milder options or set a time limit, effectively inflicts a “civil death” of connectivity, constituting a clear and permanent violation of fundamental rights.

Lastly, when a body holds both regulatory and adjudicatory powers, transparency and accountability demand that separate entities handle these roles to ensure strict adherence to natural justice principles. Analogous frameworks such as the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules under Section 69A IT Act, designate specific officers or committees of senior officials to ensure accountability and transparency. Rule 5 lacks any defined adjudicatory body. Contrarily, it vests power without clarity or specification, leaving discretion over critical punitive decisions undefined. This absence of institutional specificity subverts administrative transparency and accountability.

This concentration of power is problematic. While the Rule nominally provides that a person shall be given an opportunity for a hearing, it is heavily tilted in favour of the authority. In ordinary circumstances, a notice is sent, and the individual is given only seven days to respond; this is an unreasonably short period for someone to prepare a defence, gather evidence, and obtain legal assistance, especially, given the impact of penalty.

Moreover, Rule 5 allows the Government to forego even this minimal notice if it believes prior notice would frustrate the action. While emergencies can justify short-circuiting pre-decisional hearings, the Rule does not ensure a robust post-deprivation review either – it merely states a “reasonable opportunity” will be given without specifying a time-bound impartial appeal mechanism. Another missing safeguard is the lack of an obligation for the Union Government to proactively disclose anonymized statistics on orders issued and their reasons.

There is no provision for appeal or review by an independent tribunal or Court in the Rules. Under the IT Rules, although there is no direct appellate provision, decisions to block internet resources are mandatorily subjected to review by a specially constituted Review Committee. The affected person’s only recourse may be to approach the High Court/Supreme Court under writ jurisdiction, which is not an adequate substitute for a statutory appeal because of cost and time barriers. 

K.C. Davis warns against the dangers of standardless administrative discretion, advocating for “adequate standards and appropriate safeguards” when broad powers are delegated. He proposed that administrative discretion be “confined, structured, and checked.” In the context of Rule 5, we see a near-total lack of all three: no clear criteria for triggers like “endangerment” or “public interest,” no structured guidelines given its open-ended nature, and no appeal mechanism. Rule 5 is a textbook case of a “standardless sweep,” where subjective satisfaction is the sole guide, an approach that is antithetical to the rule of law. 

Complementing this view, Prof. Upendra Baxi has stressed that modern administrative governance must embed procedural safeguards to protect individual rights against executive overreach. In Rule 5, the absence of a statutory tribunal or appellate mechanism to review decisions is particularly troubling, as it vests a quasi-judicial function in the executive, epitomizing the “administrative absolutism” that Baxi criticizes.

The cumulative absence of these safeguards, such as (i) independent decision-maker, (ii) sufficient notice, (iii) opportunity to rebut evidence, and (iv) appellate remedy, makes Rule 5’s procedure contrary to the principles of natural justice and due process. Maneka Gandhi v. Union of India held that any law or procedure affecting personal liberty “has to be fair, just, and reasonable, not fanciful, oppressive or arbitrary.”​ 

Therefore, Rule 5’s mechanism, being heavily stacked against the individual, is unfair and arbitrary, thus unconstitutional under Articles 14, 19 and 21 of the Constitution.

Conclusion 

This post has critically examined Rule 5, demonstrating that it extends far beyond the statutory authority granted by the Act. The analysis shows how Rule 5 is ultra-vires the Act and the Constitution. 

The significance of these arguments is far-reaching. The absence of defined criteria, due process safeguards, and independent oversight jeopardises individual rights and sets a dangerous precedent for executive overreach in regulatory governance. As such, this post reveals a misalignment between the Act’s intent and its administrative implementation. There is an urgent need for reform to preserve the Rule of Law and democratic accountability.

Looking ahead, policymakers must initiate a comprehensive review of Rule 5 and ensure that the Rules are in line with the Act. Further, the focus should be on establishing precise definitions of actionable conduct, instituting clear procedural safeguards, and providing effective avenues for appeal and judicial review. In doing so, we can ensure that administrative measures remain a tool for effective governance rather than an instrument of unchecked power.

**Arnav Mathur is a third-year B.A. LL.B student at NALSAR University of Law, Hyderabad. He is interested in constitutional law, public policy and arbitration law. Additionally, he enjoys weightlifting and F1.

Disclaimer: The views expressed in this blog do not necessarily align with the views of the Vidhi Centre for Legal Policy.