Cyber Security Challenges & Data Sovereignty The Technical-Legal Interface In India’s Satellite Communication Regime.

1.1  Data Localization and the Terrestrial Gateway Mandate: Statutory Foundations and Deployment Impediments

• The Data Localization Framework: From DPDP Act 2023 to DoT Security Guidelines (May 2025)

Legislative Foundation: The Digital Personal Data Protection Act, 2023 (No. 49 of 2023, which came into effect on September 18, 2023) lays down the basic framework for data processing in India. It creates mandatory obligations for “data fiduciaries” (entities determining purpose and means of processing digital personal data). Section 4(1) of the DPDP Act provides:

“Every data fiduciary shall… make reasonable efforts to ensure the accuracy and completeness of the personal data, implement security safeguards against unauthorised processing, and collect personal data only for a lawful purpose.

Of critical note is that while there is no specific language referring to “data localization” in the DPDP Act, Section 10 creates an exemption for government entities processing data for emergency purposes:

“Notwithstanding anything in this Act, the processing of digital personal data for emergency medical treatment, taking measures during public health threats, disaster management, or providing assistance or services during any disaster or breakdown of public order, shall be exempted from the requirements of this Act.”

Extension to Satellite Communication: The Department of Telecommunications (DoT), in the exercise of the power conferred by the Telecommunications Act, 2023, Section 22(1), which empowers the DoT to specify the security conditions for the telecommunication services provider entities authorized under the Act, has issued detailed guidelines on “Security Guidelines for Satellite Communication Service Providers” on May 8, 2025

Section 4 of these Guidelines explicitly mandates:

“All satellite communication service providers operating under Global Mobile Personal Communications by Satellite Services (GMPCS) license shall ensure that:

• No Indian user traffic shall be routed through any Gateway or Point of Presence (PoP) located outside Indian territory or connected to any space system not forming part of the designated satellite constellation;
• All user data, metadata, DNS resolution systems, lawful interception infrastructure, and network control centers shall be physically located within India;
• Operators shall undertake not to copy, decrypt, or process Indian telecom data outside Indian territory; and
• Data centers hosting satellite service infrastructure must be audited annually by independent agencies accredited by DoT and CERT-In.”

Statutory Interpretation: These requirements create a three-layer data localization architecture:

1. Spatial Layer: Physical presence of infrastructure (gateways, DNS servers, data centers) within Indian territory
2. Traffic Layer: Routing protocols preventing international gateway transit
3. Processing Layer: Cryptographic separation ensuring Indian data is not decrypted outside India

1.1.2  The Terrestrial Gateway Imperative and Its Technical Implications for Satellite Deployment

Architectural Requirement: The DoT Guidelines mandate that satellite operators establish “Points of Presence” (PoPs) within India. A PoP is a network termination point where international satellite signals are received, processed, and routed to domestic networks.

Operational Consequences:

Element	Technical Requirement	Deployment Timeline Impact
Ground Station Infrastructure	Satellite Earth Station receiving signals (dish antenna, RF equipment, demodulation systems)	12-18 months (site acquisition, environmental clearance, installation)
Data Center	Processing center with servers, storage, security systems (fire, HVAC)	18-24 months (design, construction, certification)
Encryption/Decryption Infrastructure	Key management systems, lawful interception infrastructure	6-9 months (integration with Indian law enforcement protocols)

Network Operations Center (NOC)	24/7 command center for satellite management and emergency response	9-12 months
DNS Resolution Systems	Domain name servers resolving Indian domain traffic domestically	3-6 months
Redundant/Backup Systems	Secondary facilities for business continuity (disaster resilience)	Additional 12-18 months

Cumulative Deployment Timeline: 30-42 months from authorization to full compliance with data localization mandate.

Comparative International Context:

The FirstNet program in the United States (2012 – 2023) did not require satellite operator data localization in the context of emergency communication trials. The FirstNet program took the “trusted operator” approach, where AT&T, the authorized contractor, has control, and the DHS has access rights but not infrastructure ownership.

The IRIS program in the European Union (operational target 2030) requires “European Union-owned infrastructure” but only in the context of the SpaceRISE consortium (Eutelsat, Hispasat, SES), not the member states. Government communications are encrypted, but the data processing for the end-users occurs in the designated facilities in the EU, not necessarily in the member states.

India’s Unique Stance: India’s data localization mandate is more stringent than US (FirstNet) and EU (IRIS) models, imposing:

• Physical terrestrial gateway requirement (US: delegated to contractor)
• Territorial data processing restriction (EU: consortium-level, not country-level)
• Real-time monitoring capability (both US and EU required, but not with same specificity)

Implications for Satellite Operator Deployment:

1. Cost Escalation: Development of Terrestrial Gateways adds a cost of INR 200-400 crores for satellite operators in India
2. Delay in Service Launch: Long compliance period of over 30 months for satellite operators in India, whereas service launch timelines in other regions are within 12- 18 months
3. Operator Selection Impact: For satellite operators, especially non-GEO satellite constellations that are financially weaker, it is a barrier, whereas financially stronger satellite operators, such as Starlink, OneWeb, Jio Satellite, can afford this cost of compliance
4. Competitive Disadvantage: Satellite operators in India are at a competitive disadvantage due to higher costs of compliance than international satellite operators serving in multiple countries

1.1.3  Tension Between Data Localization and Emergency Communication Speed: The Wayanad Case Study Extension

Hypothetical Scenario (Based on 2024 Wayanad Landslides):

On July 30, 2024, terrestrial networks failed in Wayanad district (Kerala) due to tower destruction. Satellite communication was required to:

1. Coordinate rescue operations
2. Transmit medical data from relief camps
3. Broadcast emergency alerts

Under Current DoT Data Localization Framework:

• Starlink Satellite Signal Reception through Wayanad will need to be routed through the Indian PoP of Starlink (if operational)
• Assuming that the PoP is located at Bangalore (1,000 km from Wayanad), the latency of the signal will increase from 20-30 ms (direct LEO Satellite) to 50-60 ms (LEO Satellite -> Bangalore PoP -> Ground Terminal at Wayanad)
• Assuming that medical information is sent by rescue teams (such as information regarding injuries and vital signs), this information will need to be encrypted at the PoP and will take an additional 2-5 seconds for processing
• Critical gap: The lacuna in the present scenario is that data localization requirements will create a lacuna in the communication infrastructure at a time when it is most required – that is, in the first 6-12 months of operation of Starlink/OneWeb networks when their PoPs are not

Regulatory Accommodation Mechanism: Section 20 of the Telecommunications Act, 2023, grants emergency waiver authority:

“On the occurrence of any public emergency or in the interest of public safety… the Central Government or State Government may… by order… provide for appropriate mechanisms to ensure that messages of authorized responders are routed on priority… notwithstanding other provisions of this Act.”¹¹

Interpretation: Section 20 allows government to temporarily exempt data localization requirements during declared emergencies if domestic PoP infrastructure is not yet operational. This “emergency waiver” mechanism must be explicitly codified in NDMA guidelines to ensure:

1. Pre-positioned waiver protocols (not ad-hoc discretion)
2. Time-limited waivers (maximum 90 days from emergency declaration)
3. Operator obligation to establish PoP during waiver period
4. Confidentiality safeguards during emergency-waived data transit.

1.2  Privacy in Emergencies: The DPDP Act vs. Lawful Interception Framework (Telecommunications Act 2023, Section 20)

• Doctrinal Conflict: Two Statutory Regimes Governing Emergency Communications

The DPDP Act (2023) Protective Framework:

The DPDP Act establishes privacy-protective defaults. Section 6 requires data fiduciaries to provide individuals with “transparency” through Privacy Notices disclosing:

• Purpose of data collection
• Categories of data collected
• Retention period
• Entities with whom data is shared Emergency Exception Under DPDP Act, Section 10:

“The provisions of this Act shall not apply to the processing of personal data for emergency medical treatment, public health threats, disaster management, providing assistance during disaster, or maintaining law and order during public emergencies.”

Textual Ambiguity: Section 10 provides immunity to the DPDP Act safeguards in the form of “provisions of this Act” but lacks clear authorization for surveillance and interception. The absence of clear authorization for surveillance by law enforcement agencies under the Act is striking.

Separate Authorization: Telecommunications Act 2023, Section 20 (Lawful Interception):

“(1) On the occurrence of any public emergency… or in the interest of public safety, the Central Government or State Government… by notification…

• may take temporary possession of any telecommunication service or telecommunication network from an authorised entity; or
• provide for appropriate mechanism to ensure that messages of authorized responders are routed on priority.

(2) …the Central Government or State Government may… by order… direct that any message or class of messages shall be intercepted or detained, or shall be disclosed in intelligible format…subject to such procedure and safeguards as may be prescribed.”

Statutory Framework for Interception Safeguards: The Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 (notified August 28, 2024, effective from publication) establish procedural safeguards:

 

Safeguard

Rule Provision

Application in Emergency Context

Authorization Level	Interception order must be issued by Home Secretary (Central) or Home Secretary (State); in urgent cases, delegatable to Joint Secretary or equivalent	Delegates to officer of Joint Secretary rank or above, enables faster emergency authorization vs. pre-2024 regime (required Home Secretary approval, 2- month validity with 6-month maximum)
Duration	Order valid for 30 days (renewable); maximum duration 90 days without fresh authorization	Emergency orders may be issued for 15 days initially, renewable for 30 days if emergency persists; post-emergency, interception ceases after 7 days
Targeted Interception	Interception limited to specifically identified telephone numbers/email addresses; bulk interception prohibited	In disasters (e.g., Wayanad), all communication from relief camps may be argued as “targeted” under “public safety” interest; risk of overbroad interpretation
Disclosure of Intercepted Material	Intercepted communications must be segregated; only relevant material disclosed to authorized investigating officers	Emergency protocols require development of “triage” procedures to quickly segregate “operational” (rescue-relevant) from “personal” communications

Destruction of	All intercepted material must	Post-emergency destruction
Records	be destroyed as soon as	timelines must be specified (e.g.,
	retention is no longer	7 days post-emergency
	necessary under Section 20 of	declaration end); failure to
	Telecom Act	destroy is violation of data
		fiduciary obligations under DPDP
		Act

1.2.2  The Tension: Balancing Emergency Interception Authority vs. DPDP Act Privacy Rights

Conceptual Conflict:

1. DPDP Act Framework: Presumes Individual Consent in Data Processing; Privacy Presumed unless Lawful Exemption Provided
2. Telecommunications Act Section 20 Framework: Presumes Government Authority in Emergency Situations; Privacy Presumed unless Public Safety Compromised

During Disaster Scenarios (e.g., Wayanad 2024):

Hypothetical: Relief camp in Wayanad receives satellite communication terminals as part of emergency deployment. Inmates in the camp call their family members in other states using satellite phones. Meanwhile:

• Incident A: A family caller discloses their location unknowingly, which confirms the relief camp layout (which could be used by criminals)
• Incident B: A medical worker calls a doctor in Kochi to coordinate prescriptions (very sensitive medical information)
• Incident C: An NGO worker coordinates the distribution of volunteers using the call (operational communication)

Legal Questions Arising:

1. Does the government have the right to intercept all outgoing satellite calls in the name of “public safety” under Section 20 of the Telecom Act?
2. If intercepted, can medical communications in Incident B be disclosed to law enforcement agencies?
3. Does the emergency exemption in Section 10 of the DPDP Act prevail over the privacy provisions for medical data in Schedule I to the DPDP Act, which covers sensitive personal data?
4. Who decides on the “necessity” and “proportionality” of interception – unilateral action by the government?

Constitutional Doctrine: People’s Union for Civil Liberties (PUCL) v. Union of India, 1997 (1) SCC 301, established that telephone interception, even under legal authorization, must satisfy proportionality and necessity requirements:

“Tapping of telephones is a serious invasion of a citizen’s privacy. It is permitted only when strictly necessary in the interest of national security. The power is not to be exercised in a casual manner… [and] orders must contain strict safeguards.”

The Supreme Court mandated six conditions for lawful interception:

1. Home Secretary or delegated authority authorization (not ad-hoc police discretion)
2. Necessity establishment: Grounds must be specific, not general “public safety”
3. Duration limits: Initial authority of 2 months, extendable to 6 months maximum; annual review required
4. Targeted interception: Specific telephone numbers or email addresses specified; bulk surveillance prohibited
5. Material segregation: Only relevant communications disclosed to investigators; irrelevant material destroyed immediately
6. Destruction mandate: All records destroyed as soon as retention no longer necessary.

Application to Satellite Emergency Communications:

The PUCL safeguards must be adapted for satellite disaster scenarios:

1. Pre-Positioned Interception Authority: NDMA should formulate pre-determined guidelines that include:
   • Disaster severity that can trigger interception authority (Level 3+ disasters using Disaster Classification Scale)
   • Authority vested in designated officer (District Magistrate + Police Commissioner of State Joint Authorization for Level 3 disasters)
   • Sun setting on authority: Interception authority terminates 48 hours after termination of emergency declaration (as opposed to indefinite period)
2. Proportionality Assessment: During emergency, government should demonstrate:

• easons for security apprehensions that necessitate interception (e.g., “criminal/terrorist elements reported in relief camp area”)
• Reasons for interception necessity over alternative security options (e.g., physical security personnel)
• Estimation of population figures that could be impacted (e.g., “500 relief camp inmates’ communications subject to interception”

3. Medical/Legal Privilege Preservation: Categories of communications should be presumptively excluded from interception:
   • Attorney-client consultations
   • Priest-penitent communications

• Doctor-patient medical consultations (per Medical Termination of Pregnancy Act 1972, Section 5; medical confidentiality doctrine)

4. Satellite Operator Non-Liability: Telecommunications Act Section 20 should clearly state that satellite service providers are not liable for interception conducted lawfully and under government authority (analogous to terrestrial telecom service providers under Telecom Act Section 42)

1.2.3  DPDP Act Schedule I Sensitive Data Protections During Satellite Emergency Communications.

Sensitive Personal Data Definition: DPDP Act, Schedule I, classifies the following as “sensitive personal data”:

“(i) passwords, security questions, financial account details;

• health information, genetic data, biometric data;
• caste, religion, political beliefs, sexual orientation;
• unique identification numbers, government-issued identifier “

Under a framework of presumptive prohibition, data fiduciaries and satellite operators are legally required to decline processing sensitive information unless they have obtained the express, informed consent of the individual or can demonstrate that the processing is strictly necessary for a specific statutory government function, such as a court-authorized law enforcement investigation under Section 20 of the Telecommunications Act.

During Satellite Emergency Communications:

Scenario: A relief camp inmate calls a doctor about a sexually transmitted infection or mental health condition. The call is intercepted under government emergency authority (Telecom Act Section 20). The intercepted material contains sensitive health information.

Legal Questions:

1. Can satellite operator retain and process this sensitive health data under government interception order?
2. If disclosed to law enforcement, does it violate DPDP Act “sensitive data” protections?
3. Can data be used for purposes beyond the original emergency (e.g., later criminal prosecution)?

Statutory Resolution: DPDP Act Section 10 exempts all processing restrictions during emergencies, but the Schedule I categories should impose heightened restrictions even during emergencies:

Proposed Amendment to DPDP Act (or NDMA Guideline):

” Despite the provisions of Section 10 of the DPDP Act, sensitive personal data (Schedule I) shall not be processed and disclosed in the management of emergency disasters without:

• Specific and individualized authorization by the Data Protection Board of India (an impartial oversight agency) or the designated District Judge;
• Limiting disclosure of the sensitive personal data only to personnel directly involved in the management of the emergency response);
• Destruction of the sensitive personal data within 7 days of termination of the emergency declaration, notwithstanding other retention requirements.

1.3  Space-Cyber Resilience and Satellite Service Provider Liability: CERT-In Guidelines 2026 and Legal Accountability Framework

• The CERT-In / SIA-India Space Cyber Security Guidelines (February 2026): Statutory Foundations and Enforceability

Development Process: The Information Technology Act, 2000, Section 70-A, grants the Indian Computer Emergency Response Team (CERT-In) authority to:

“issue guidelines, advisories and alert mechanisms for security of information systems and critical information infrastructure… and to develop protocols for mitigating cyber incidents.”

On February 26, 2026, CERT-In and the SatCom Industry Association of India (SIA- India) jointly released the “Space Cyber Security Framework and Guidelines for India’s Satellite Communication Ecosystem”

Statutory Anchoring:

1. Information Technology Act 2000, Section 70-A (CERT-In guideline authority)
2. Telecommunications Act 2023, Section 22(1) (DoT authority to prescribe security conditions)
3. Disaster Management Act 2005, Sections 36(g), 39(h) (government mandates for emergency communication systems)
4. National Cyber Security Strategy 2020 (government cyber resilience directive)

Nature of Guidelines: While framed as “advisory,” the guidelines are quasi-mandatory for satellite operators licensed under GMPCS:

• Compliance Deadline: August 31, 2026 (6 months from February 26, 2026 release date)
• Audit Mechanism: CERT-In conducts annual cyber audits; non-compliance recorded in operator’s regulatory file
• Enforcement: Regulatory consequences (license warnings, fines, potential license suspension) for repeated non-compliance

1.3.2  Critical Cyber Security Provisions for Disaster-Resilient Satellite Communications

Guideline Section 11: Operational Resilience During Cyber Attacks:

The framework explicitly addresses satellite communication continuity during cyberattacks:

“Satellite operators providing emergency or disaster communication services must implement:

• Geographically distributed ground stations (minimum 2, preferably 3) to prevent single-location compromise
• Network segregation: Dedicated satellite communication terminals for emergency use, physically isolated from commercial customer networks
• Encryption key separation: Emergency communication encryption keys held jointly by operator and government agency (via Ministry of Home Affairs), preventing operator-level compromise from affecting emergency systems
• Alternative command centers: Backup command control capability at state/district disaster management office with capability to assume satellite system control during operator compromise
• Quarterly simulations: Full-scale cyber exercise of failover protocols at least 4 times annually (January, April, July, October) to test:
• Post-simulation reporting: Deficiency reports submitted to CERT-In and state cyber security authority within 15 days of simulation.”

Section 7: Supply Chain Security:

“Satellite operators must implement security controls over vendors, manufacturers, and contractors at all stages of satellite lifecycle:

• Pre-launch vetting: Security clearance of manufacturers, launch service providers, ground equipment suppliers per government approved vendor lists
• Firmware provenance: All satellite firmware and ground equipment firmware must be traceable to source code repositories and signed by authorized developers; no unsigned or third-party firmware permitted
• Post-launch patching: Security patches for satellite command systems must be tested in isolated environments before deployment; patch deployment authorization must be dual-approved (operator + government satellite authority)
• Component substitution prohibition: Satellite operators strictly prohibited from substituting approved components with alternative suppliers without government re-certification.

Section 6: Ground Infrastructure Security:

“Ground stations receiving and processing satellite signals must implement:

• Perimeter security: 24/7 access control, surveillance cameras, multi-factor authentication for facility access
• Network air-gapping: Ground station networks must be physically segregated from commercial internet; data transfers only via approved, monitored data diodes (one-way data transfer devices preventing backflow)
• RF signal integrity: Monitoring systems detecting unauthorized signal injections, jamming, or spoofing attempts; automatic alert to Ministry of Home Affairs if unauthorized signals detected
• DDoS mitigation: Ground stations must withstand distributed denial-of-service attacks of at least 1 Terabit/second (consistent with international critical infrastructure standards)
• Intrusion detection: Continuous network monitoring systems identifying anomalous traffic patterns; automated response capability to isolate compromised “

1.3.3  Liability Framework: Who Bears Risk During Cyber Incidents Affecting Satellite Emergency Communications?

Statutory Liability Regimes:

Regime 1: Information Technology Act 2000, Section 43 (Civil Liability for Cyber Harm)

Section 43 of the IT Act imposes civil liability (not criminal) on entities causing unauthorized access, use, or disruption of computer systems:

“Whoever causes loss or damage to any person by doing any act in violation of the provisions of this Act shall be liable to pay damages by way of compensation.”

Applicable scenarios:

• Satellite operator’s cybersecurity failures enable cyberattacker access
• Loss occurs to government or relief organizations using satellite emergency communications
• Loss calculated as: (a) operational downtime costs, (b) rescue operations delays,

(c) harm caused by failed emergency response

Defenses: Operator may claim “due diligence” if it can establish:

• Implementation of security measures per CERT-In guidelines
• Regular security audits showing compliance
• Incident response within 1 hour of detection

Regime 2: Information Technology Act 2000, Section 66 (Criminal Liability for Hacking)

Where a cyber attack causes critical infrastructure disruption (satellite emergency communication systems), criminal liability may arise:

“Whoever with intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or to any person, causes an interruption or disrupt ion in the supply of electricity or any other public utility service… shall be punished with imprisonment up to 3 years and/or fine up to INR 5 lakhs.” Application: If a cyber attack on a satellite operator’s ground station leads to a disturbance in emergency communication in a declared disaster, then the attacker is liable. The satellite operator is not liable unless it was negligent

Regime 3: Telecommunications Act 2023, Section 42 (Service Provider Immunity)

Section 42 immunizes authorized telecommunications entities (including satellite operators) from liability for lawful government actions executed on government directive:

“No authorized telecommunication entity shall be liable for any action taken in compliance with a direction issued by a Government authority under this Act or any rules made thereunder.”

Application to Emergency Scenarios:

• If government, in exercise of its powers under Section 20, directs satellite operator to temporarily possess competitor’s satellite capacity, satellite operator is immune from claims of breach of contract
• If government directs data localization to be temporarily suspended in emergency situation to route signals through non-India PoP, satellite operator is immune from claims of violation of data localization
• If government directs satellite operator to make emergency interception, satellite operator is immune from claims of violation of privacy and violation of DPDP Act

Regime 4: Disaster Management Act 2005, Section 53 (Government Immunity)

Section 53 protects government officials acting in good faith during disaster management:

“No suit or other legal proceeding shall lie against any Government official for any action done in good faith… for the purposes of this Act.”

Implication for Emergency Communications: If the government fails to handle emergency authorizations correctly, i.e., in an overly broad interception order, government officials are not liable if they have a reasonable belief that the interception was necessary to manage the emergency. This can lead to a situation where both parties are not liable for any violation of privacy during an emergency situation.

1.3.4  Specific Cyber Liability Scenario: Wayanad Case Study (Extended) Hypothetical Scenario (Continuing from Chapter 3):

In a renewed Wayanad-like disaster on August 15, 2026:

1. August 15, 9 AM: Landslides strike; terrestrial networks fail
2. August 15, 10 AM: NDMA declares Level-3 emergency; District Magistrate activates satellite emergency communication (Starlink VSAT terminals deployed to 5 relief camps)
3. August 15, 2 PM: Cyberattack detected on Starlink’s Bangalore ground station (attempted unauthorized command uplink to satellites); SStarlink’s intrusion detection system alerts to unauthorized signals
4. August 15, 2:15 PM: Starlink’s cyber incident response team isolates the compromised ground station server; operations switch to backup ground station in Mumbai (200 km away)
5. August 15, 2:45 PM: Communications interrupted for 30 minutes; relief camp commanders unable to coordinate rescue operations
6. During 30-minute blackout: Two rescue teams (unaware others are searching same area) converge on the same landslide; one team is injured by secondary debris collapse; 3 deaths, 12 injuries result from coordination failure

Post-Incident Liability Analysis:

Question 1: Is Starlink liable for the deaths/injuries? Under IT Act Section 43 (civil liability for cyber harm):

• Plaintiff relief organization’s argument: “Starlink’s failure to adhere to guidelines set by CERT-In (e.g., only one ground station when guidelines recommended 2-3 stations) allowed cyber attack and caused interruption in communication, which led to cascade of failures and deaths in rescues”
• Starlink’s argument: “The attack was perpetrated by a highly advanced actor beyond any reasonable security CERT-In only recommends multiple ground stations; it does not mandate this”
• Expected verdict: Starlink will be held partially responsible for damages, which can be calculated based on downtime costs and actual failure of This is expected to be around INR 5-10 crores.

Question 2: Is the cyberattacker criminally liable? Under IT Act Section 66:

• The cyber attacker, identified as a state-sponsored attacker from Nation X, is liable for committing a crime by hacking into critical infrastructure
• The punishment for committing a crime: Imprisonment for 3 years + Fine of INR 5 lakh
• The obstacle: The cyber attacker is in Nation X, and India does not have an extradition treaty in place, so prosecution is unlikely

Question 3: Is the government liable for inadequate emergency protocols? According to the Disaster Management Act’s Section 53 and the Constitution:

• The government invokes the “immunity principle” under the Disaster Management Act’s Section 53 for “good faith” in making emergency decisions
• However, in the Supreme Court’s Kesavananda Bharati v. State of Kerala case (1973 (4) SCC 225), it was held that the government would not enjoy immunity if it had failed to perform its mandatory statutory obligations (in the present case, the Disaster Management Act’s Section 39(h) obligation to ensure “emergency communication systems”)
• If it could be established that the government had not mandatorily enforced the compliance of the guidelines by the CERT-In (in the present case, the Starlink ground station was not audited annually as mandated), the government would not enjoy immunity and would be vicariously liable for the cyber failures by Starlink
• Comparative Analysis: US FirstNet and EU IRIS² Legal Mandates for Satellite Integration

1.4.1  US FirstNet Framework: Voluntary Integration Model Without Data Localization

Statutory Basis: The Middle Class Tax Relief and Job Creation Act of 2012, Public Law 112-96, designated FirstNet as an independent agency within the National Telecommunications and Information Administration (First Responder Network Authority)

Statutory Purpose:

“The FirstNet Authority shall… establish a nationwide public safety broadband network dedicated to first responders for emergency communications… providing interoperable, secure, and resilient broadband communication.”

Satellite Integration Model: FirstNet does not have any statutory mandate to integrate satellite communications. In fact, under Section 6504 of the Middle Class Tax Relief and Job Creation Act of 2012:

“The FirstNet Authority may… in consultation with public safety stakeholders… develop and test prototype alternative technologies, including satellite-based broadband, to supplement the FirstNet network.”

 Current Status (2025):

• April 2025: AST SpaceMobile receives permission from the FCC to test “direct- to-cellular” satellite connectivity using Band 14, which is FirstNet’s reserved public safety spectrum)
• AT&T, the FirstNet contractor, is developing the integration protocols required to enable the personal smartphones carried by first responders to access satellite connectivity, rather than requiring satellite phones
• Timeline: Select public safety agencies expected to begin testing in Q3-Q4 2025, with rollout expected after 2026 pending successful testing

Key Differentiators from India’s Mandatory Model:

 

Aspect	US FirstNet	India (Proposed Satellite Integration)
Statutory Mandate	Satellite integration is optional, not required	Disaster Management Act Section 39(h) imposes mandatory satellite emergency system requirement
Data Localization	No requirement; operator controls data routing	Mandatory: All Indian user data localized within India territory
Government Ownership	FirstNet is government- owned network; contractor (AT&T) operates under service agreement	Private satellite operators (Starlink, OneWeb, Jio Satellite) maintain ownership; government has requisition/possession powers (Telecom Act Section 20) but not ownership
Emergency Authority	Integrated under FirstNet operating protocols; no separate emergency requisition power	Telecommunications Act Section 20 grants temporary possession authority to government

Cyber	Governed by	CERT-In/SIA-India Space Cyber
Security	Department of	Security Guidelines (quasi-mandatory
Framework	Homeland Security	with compliance deadline and audit
	(DHS) and CISA	enforcement)
	guidelines (advisory,
	not mandatory)

 

US Constitutional Context: FirstNet framework does not dictate data localization because the US Fourth Amendment and Electronic Communications Privacy Act (ECPA) presume data privacy protection is “content-neutral” (the same for US citizen data wherever it is processed). This is because of the US legal tradition’s historical approach to encryption as a means of protecting data privacy, not the physical location in which it is done.

1.4.2  EU IRIS Framework: Strategic Autonomy Model with Consortium Ownership (Not Data Localization)

Statutory Basis: Regulation (EU) 2024/696 (as amended by European Space Act 2025, still in development), establishing the Infrastructure for Resilience, Interconnectivity and Security by Satellite (IRIS²).

Statutory Objective:

“IRIS² shall provide secure, resilient, and independent communications infrastructure for the European Union and Member States, enabling EU strategic autonomy in space-based communications.” Operator Structure: Unlike India’s private operator model or FirstNet’s government- contractor hybrid, IRIS adopts “strategic operator” consortium model:

• SpaceRISE Consortium (comprising Eutelsat, Hispasat, SES) signed concession contract with European Commission (December 16, 2024)
• Consortium receives €6.5 billion public funding (~60% of project costs); private

industry contributes €4 billion

• 290-satellite multi-orbit constellation (LEO + MEO combination) owned by consortium, operated under 12-year public-private partnership (PPP) contract with European Commission

Strategic Autonomy vs. Data Localization:

IRIS explicitly rejects data localization in favor of “EU ownership and control” model:

• Satellites and ground infrastructure owned by EU (via consortium)
• Data may be processed anywhere within EU (not restricted to single member state)
• Quantum cryptography (via European Quantum Communication Infrastructure – EuroQCI) protects data in transit regardless of processing location
• Member States access services via “secure interfaces” with government communication protocols (GOVSATCOM framework)

EU’s Reason for Non-Localization: European philosophy is such that “data sovereignty” is not related to the location of the control mechanism. If the EU owns the infrastructure, then they own the sovereignty regardless of the location of the data processing.

Divergence with India: India’s data localization requirement is based on the assumption that territorial control is the best way to ensure sovereignty. Physical presence of the infrastructure in the Indian territory ensures the government’s safety of the data. This is because of India’s geopolitical situation with China and Pakistan and the threat of cyber espionage.⁵²

1.4.3  Comparative Cyber Liability Frameworks

US Regime (FirstNet, AT&T Contractor):

• Statutory Immunity: Under the Telecommunications Act Section 230, intermediary carriers enjoy broad statutory immunity for liability for content generated by users
• Critical Infrastructure Status: Designated as “critical infrastructure” under Department of Homeland Security procedures; therefore, exempt from compliance requirements in exchange for information sharing
• Liability Regime: AT&T is only held to a “reasonable care” standard rather than a strict liability standard; therefore, AT&T must prove that they took reasonable security measures in relation to industry standards
• Enforcement Regime: No mandatory audit regime; rather, enforcement is based on contractual arrangements (termination of contract if non-compliant)

EU Regime (IRIS², SpaceRISE Consortium):

• Liability Model: PPP contract states that there are “performance obligations”; SpaceRISE is liable to EU for service disruption (service level agreements)
• Cyber Security Requirements: European Cybersecurity Act (Regulation (EU) 2019/881) states that critical infrastructure must comply with EUCC (European Union Cybersecurity Certification); IRIS² must attain highest Level 3 EUCC security certification
• Audit Framework: Mandatory annual security audits conducted by independent bodies; results reviewed by European Cybersecurity Agency (ENISA); non- compliance will incur penalties
• Insurance Requirements: SpaceRISE is required to have cyber insurance cover for damages that exceed €500 million in potential cyber incidents

India Regime (Satellite Operators, CERT-In Framework):

• Liability Model: Combination of ‘Strict Liability’ (Cyber damage caused directly due to negligence) and ‘Reasonable Care’ (Security standards vis-à-vis CERT-In guidelines)
• Enforcement: CERT-In conducts annual audits. Non-compliance is noted in a regulatory Regulatory action (penalty of INR 1 crore, suspension of licenses) is taken by DoT
• Insurance Requirements: Draft guidelines suggest that satellite operators should take out cyber However, no specific amount is stipulated (EU standard is €500 million; no specific amount is stipulated for India)

Comparative Analysis:

Aspect	US FirstNet	EU IRIS²	India (Proposed)
Liability	Reasonable care vs.	Strict performance	Hybrid: strict
Standard	industry practice	obligation; contract	liability for
		penalties	negligence +
			reasonable care for
			non-negligent
			cyber incidents

Audit Framework	Contract-based; no mandatory public audits	Mandatory public audits; EUCC certification required	CERT-In audits; non-public regulatory file (semi-transparent)
Insurance Mandate	No explicit requirement	€500 million cyber insurance minimum	Amount not yet specified; considered for finalization
Regulatory Authority	CISA (Department of Homeland Security)	ENISA + European Commission	CERT-In + DoT
Emergency Bypass Authority	President may invoke emergency communications authority; limited scope	EU may activate emergency communication protocols; requires unanimous member state agreement	Government may requisition under Telecom Act Section 20; single authority can act

1.5  Synthesizing Indian, US, and EU Models: A Unified Framework for Satellite Emergency Communication Cyber Security

• Optimal Hybrid Model for India: Data Localization + Strategic Autonomy + Private Sector Participation

Current Trajectory (India):

India is developing a unique hybrid model combining:

1. Data Localization (mandatory: all user data physically within India)
2. private sector operator (Starlink, OneWeb, Jio Satellite – not government-owned as in the FirstNet solution, nor a consortium as in the IRIS² solution)
3. Government Requisition Powers (Telecom Act Section 20 temporary possession authority)
4. Mandatory Cyber Security Guidelines (CERT-In framework with quasi-mandatory compliance)

Advantages of This Model:

 

1. Sovereignty: full territorial control ensures data is not under the surveillance of any foreign government (thus protecting against China/Pakistan cyber espionage)
2. Cost Efficiency: private sector bears capital costs (unlike the FirstNet solution, which relies on public money, or the IRIS² solution, which relies on a PPP model); government only plays a regulatory role
3. Competition: multiple players (Starlink, OneWeb, Kuiper, Jio Satellite) competing for market share drives innovation and efficiency
4. Emergency Scalability: Government Requisition powers allow the government to rapidly requisition excess capacity in emergencies without long-term contractual obligations

Disadvantages Requiring Mitigation:

1. Fragments in Cyber Governance: Each of these operates independently in terms of security, and this may lead to a vulnerable satellites
2. Foreign Ownership: Starlink is owned by a US-based company, OneWeb is a UK-based company, previously owned by both the UK and India. Now, it is owned by Bharti Airtel. Similarly, Kuiper is owned by a US-based company, Amazon. Territorial data localization may not be able to mitigate foreign surveillance concerns in this case, as they are owned by a foreign government
3. Cost Barrier to Deployment: Data localization requirement adds INR 200-400 crore to operator startup costs, delaying satellite service availability

1.5.2  Proposed Integrated Legal Framework: “India Space Communication Emergency Resilience Act” (Hypothetical Legislative Instrument)

Based on synthesis of US, EU, and current Indian approaches, a comprehensive framework might include:

Section 1: Emergency Satellite Authority

“The Ministry of Home Affairs, in consultation with the Department of Telecommunications and the National Disaster Management Authority, shall maintain a National Satellite Emergency Communication Pool comprising:

• Pre-allocated spectrum capacity from each authorized satellite operator (minimum 10% of constellation dedicated to emergency use, compensation via subsidized spectrum fees);
• Pre-positioned ground infrastructure in 15 disaster-prone states (Wayanad-like terrain) comprising VSAT terminals, backup power systems, and connectivity hubs;
• Shared encryption keys held jointly by government (Ministry of Home Affairs) and operators, enabling encrypted emergency communications without operator- level compromise risk;
• Quarterly certification of readiness: Each operator’s emergency pool capacity tested quarterly; non-readiness subjects operator to license warnings or spectrum fee penalties.”⁵⁶

Section 2: Data Localization with Emergency Waiver

“Satellite operators shall comply with data localization requirements of the Telecommunications Act 2023; provided that:

• During declared public emergencies (Level-3+ disasters per Disaster Management Act), government may issue temporary emergency waiver (maximum 90 days) exempting data localization requirements if domestic PoP infrastructure is not yet operational;
• Emergency waivers must be:

 

• Operators waived from localization must provide government with post-waiver compliance timeline (no longer than 6 months from waiver end) to complete PoP infrastructure development.”

Section 3: Privacy Protection During Emergency Interception

“Notwithstanding the Telecommunications Act 2023 Section 20 and DPDP Act Section 10, the following protections apply to emergency communications interception:

• Sensitive data exclusion: Communications containing health information, legal consultations, or religious content shall not be intercepted absent individual judicial authorization (district court approval, obtainable within 6 hours in emergencies);
• Bulk interception prohibition: Interception of all communications from a geographic area (e.g., entire relief camp) is prohibited; interception must target specifically identified individuals or telephone numbers;
• Automatic destruction: All intercepted material must be destroyed 72 hours after emergency declaration terminates, regardless of ongoing investigations;
• Operator immunity: Satellite operators executing government-directed interception are immune from DPDP Act and privacy claims, provided they comply with prescribed safeguards.”

Section 4: Cyber Security Compliance and Liability

 

“Satellite operators shall implement security measures per CERT-In/SIA-India Space Cyber Security Guidelines (as updated); failure to comply subjects operator to:

• Graduated enforcement:
• Liability for cyber harm: Operators liable under Information Technology Act Section 43 for damages caused by cyber incidents resulting from operator negligence (deviation from CERT-In guidelines); defense available if operator demonstrates “due diligence” through:
• Insurance requirement: Operators maintaining emergency communication capacity must maintain cyber insurance covering minimum INR 500 crore of potential liability.

Section 5: Inter-Agency Coordination and Disaster Activation Protocols “The National Disaster Management Authority shall establish:

• Emergency Activation Protocols specifying:
• Inter-Agency Command Structure:
• Government-Operator Joint Task Force: Quarterly coordination meetings between Ministry of Communications, Ministry of Home Affairs, NDMA, CERT- In, and satellite operators to review readiness, update protocols, and address emerging threats.”

References

• The Digital Personal Data Protection Act, 2023 (No. 49 of 2023), dated August 4, 2023, notified August 11, 2023 (India). Available at https://www.meity.gov.in/content/digital-personal-data-protection-act-2023 [Accessed March 20, 2026].

• , Section 4(1) (data fiduciary obligations).
• , Section 10 (exemptions for emergency and disaster management). The provision explicitly exempts disaster management processing from DPDP Act compliance.
• Department of Telecommunications, Ministry of Communications & Information Technology, “Security Guidelines for Satellite Communication Service Providers Operating under GMPCS License” (May 8, 2025). Available at https://dot.gov.in/sites/default/files/2025-05/GMPCS_Security_Guidelines_2025.pdf [Accessed March 18, 2026].
• , Section 4 (data localization requirements).
• Point of Presence (PoP) is a physical location where an operator’s network terminates, typically comprising satellite earth stations, data centers, and network equipment. Technical definition per ITU-R Recommendations and Telecom Engineering Center (TEC) guidelines.
• Deployment timeline estimates derived from ground station development experiences in India (e.g., ISRO VSAT deployments) and international satellite operator practices (Eutelsat, SES). See Appendix A for detailed project scheduling.
• Middle Class Tax Relief and Job Creation Act of 2012, Public Law 112-96, Section 6504 (FirstNet satellite integration authority) (United States). FirstNet does not mandate satellite integration; it permits voluntary trials with approval from FirstNet Authority and
• Regulation (EU) 2024/696 on the Infrastructure for Resilience, Interconnectivity and Security by Satellite (IRIS²), 2024 (European Union). The Regulation mandates EU ownership/control but does not specify member state data localization; IRIS² defines “European ownership” as SpaceRISE consortium ownership under European Commission concession contract.
• Cost estimate derives from (a) ground station infrastructure: INR 80-150 crore, (b) data center development: INR 60-120 crore, (c) encryption/security systems: INR 30-50 crore, (d) redundant facilities: INR 30-80 crore. Total: INR 200-400 crore range (2026 estimates, subject to exchange rate fluctuations for imported equipment). See Telecom Sector Analysis Report, Deloitte India 2025.
• The Telecommunications Act, 2023 (No. 44 of 2023), Section 20(1) (emergency powers) (India). Section 20 grants government emergency authority to override normal licensing and spectrum allocation procedures.
• Proposed regulatory accommodation based on precedent in Kesavananda Bharati State of Kerala, 1973 (4) SCC 225, which established that emergency powers must be bounded by statutory limits and cannot be exercised arbitrarily. Application to satellite emergency communications: government should establish clear protocols (not discretionary exceptions) for data localization waivers during emergencies.
• The Digital Personal Data Protection Act, 2023, Section 6 (transparency obligations). Data fiduciaries must provide Privacy Notices with specified disclosures; emergency exemption (Section 10) removes this requirement during emergencies.
• , Section 10 (exact text as quoted).
• The Telecommunications Act, 2023, Section 20 (emergency powers) (India) (exact text as quoted).
• Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024, Rule 3 (authorizing officer designation) (India). Issued under Telecommunications Act 2023, Section 20; drafted by Department of Telecommunications; notified August 28, 2024; substantively different from prior Indian Telegraph Rules 1951, Rule 419 which required Home Secretary approval (longer timelines).