Home » Statutes » IT Act

IT Act

The Rise and Retreat of India’s “Mandatory App State”: A Legal Analysis of the Sanchar Saathi Pre-Installation Mandate and Its Rapid Rollback

by

I. Introduction: A Day-Long Policy Experiment with Constitutional Stakes

On 28 November 2025, the Department of Telecommunications (DoT), invoking powers under the Telecommunications (Telecom Cyber Security) Rules, 2024, issued a sweeping direction requiring mandatory pre-installation of the Government’s Sanchar Saathi app on all mobile phones manufactured or imported into India.

Within 24 hours of severe public backlash—privacy concerns, industry resistance (including Apple’s reported refusal), constitutional objections, and political criticism—the Government withdrew the mandate, clarifying that Sanchar Saathi would remain voluntary.

This short-lived order has, however, left behind profound constitutional questions:

  • Can the executive compel software installation on every personal device through delegated legislation?
  • Where is the outer limit of State power over digital ecosystems?
  • Does mandatory cybersecurity-driven software risk creating tools of surveillance?
  • Are subordinate rules being stretched beyond legislative intent?
  • What does this mean for future health-tech, pharma-regulatory, and digital governance apps?

This commentary examines the mandate—and its reversal—through India’s current legal architecture, judicial precedents, and constitutional doctrine.

II. Legal Basis Claimed by the Government: Rule 8 and Rule 5 of the Cyber Security Rules

The withdrawn direction relies on:

1. Rule 8(3), 8(4) and 8(8) of the Telecom Cyber Security Rules, 2024

  • Rule 8(3): prohibits tampering with telecom identifiers (e.g., IMEI).
  • Rule 8(4): allows the Centre to issue directions to manufacturers/importers to assist in preventing IMEI tampering.
  • Rule 8(8): obligates compliance with such directions.

2. Rule 5

Empowers the Government to establish security mechanisms to prevent acts that may endanger telecom cybersecurity.

But the key question:

Do these rules contemplate—explicitly or implicitly—the power to require compulsory pre-loading of a government application on every mobile device sold in India?

The answer, in constitutional terms: highly doubtful.

Delegated legislation must remain within the boundaries of the parent Act. The Telecommunications Act, 2023 nowhere authorises the State to mandate installation of government-controlled software on personal devices.

The Government relied on broad phrasing, but broadness cannot substitute for specific legislative mandate, particularly where fundamental rights are implicated.

III. Ultra Vires Concerns: When Delegated Legislation Overreaches

Indian constitutional jurisprudence is clear:

1. Subordinate legislation cannot extend or enlarge the scope of the parent Act.

Refer:

  • Bimal Chandra Banerjee v. State of M.P. (1970) – Rules cannot widen statutory scope.
  • General Officer Commanding-in-Chief v. Dr. Subhash Chandra Yadav (1988) – Delegated legislation must remain within “four corners” of parent Act.

Applying this doctrine:

A rule meant to prevent IMEI tampering cannot be used to justify embedding government software in every citizen’s device, because such a mandate is not “necessary” for fulfilling the statutory purpose.

Thus, the order arguably suffered from excessive delegation and colourable exercise of power.

IV. Constitutional Scrutiny — The Puttaswamy Privacy Doctrine

The Puttaswamy (2017) nine-judge bench decision created the Four-Fold Proportionality Test for all State actions impinging privacy:

  1. Legality — must have a valid law
  2. Legitimate Aim — cyber-fraud prevention is valid
  3. Rational Nexus — linking IMEI fraud to Sanchar Saathi is arguable
  4. Necessity & Least Restrictive Means — this is where the direction collapses

Why it fails necessity:

  • Fraud and IMEI-cloning prevention can be addressed by network-side solutions, CEIR back-end strengthening, audits, and voluntary app usage.
  • No empirical basis was shown that mandatory pre-installation enhances protection beyond voluntary adoption.
  • No Privacy Impact Assessment was published.
  • Less intrusive alternatives exist.

Therefore, the mandate cannot survive Puttaswamy scrutiny.

V. Device Autonomy and Digital Freedom Under Articles 19 & 21

India’s Constitution, though written in 1950, has evolved to protect digital personhood.

1. Article 19(1)(a): Informational autonomy

Compulsory presence of a government app interferes with one’s right to control the informational environment of one’s device.

2. Article 19(1)(g): Business autonomy of manufacturers

Manufacturers (Apple, Google, OEMs) design ecosystems with security and privacy philosophies. Mandated apps violate platform integrity.

3. Article 21: Liberty, dignity and digital privacy

Courts have repeatedly held that personal liberty includes autonomy over one’s personal electronic devices.

Cases reinforcing this include:

  • PUCL v. Union of India (1996) – surveillance requires strict legality.
  • Anuradha Bhasin v. Union of India (2020) – digital access and freedom integral to liberty.
  • K.S. Puttaswamy (Aadhaar-II) (2018) – State cannot intrude into devices without statutory safeguards.

A government app pre-loaded on every phone—especially one dealing with identifiers (IMEI)—touches the most sensitive element of digital autonomy.

VI. Consent and the DPDP Act, 2023: A Silent Conflict

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) requires:

  • Free, informed, specific consent for personal data processing
  • Purpose limitation and data minimisation
  • User control over data

A pre-installed app creates structural coercion.
Even if the user “can uninstall”, the default setting is State-mandated presence—which contradicts the spirit of free consent.

Mandatory installation may be justified only by:

  • Section 7 legitimate use (for State functions),
    but only if backed by a clear, specific, narrowly-tailored law—not merely a direction under cyber rules.

The Government’s withdrawal implicitly acknowledges that DPDP compliance was questionable.

VII. The Surveillance Risk Argument: Why Concerns Were Not Paranoia

Digital rights groups had labelled the mandate a “backdoor to surveillance”.

This fear is grounded in:

  • Sanchar Saathi’s access to IMEI—one of the strongest device-tracking identifiers.
  • Future updates could expand functionality without user awareness.
  • India does not have a comprehensive surveillance oversight law (unlike EU/UK).
  • Past examples such as:
    • Aarogya Setu (opacity around source code & data flows)
    • FACIAL RECOGNITION used by law enforcement without parliamentary debate
    • Delhi Police’s AI-enabled profiling systems

Even if the current version of the app does nothing sinister, constitutional law examines potential misuse, not only present conduct (see PUCL).

VIII. Comparative Jurisprudence — How Democracies Handle Mandatory Apps

1. EU (GDPR, ePrivacy Directive)

Mandatory installation of State software without explicit legislation would be unlawful.

2. US

The Supreme Court in Riley v. California (2014) emphasised deep privacy interests in smartphones; compulsory app installation would require Congressional authorization.

3. German Federal Constitutional Court

Extremely sensitive about “state trojans” and any software embedded by the State in personal devices.

India’s withdrawn order was an outlier in democracies, reinforcing why the rollback was necessary.

IX. The Positive Angle — The Government’s Immediate Rollback Is Constitutionally Significant

The speed of withdrawal shows:

  • Public accountability works
  • The executive recognized the proportionality issue
  • India’s digital policy environment is maturing
  • Civil society, privacy advocates, and courts have shaped constitutional expectations

This is reminiscent of:

  • The rollback of the IT Rules 2011 Intermediary Guidelines draft,
  • The modification of Aarogya Setu usage mandates,
  • Government rescinding certain facial-recognition mandates in airports after public pressure.

X. Broader Implications for Future “Regulatory Apps” in Health, Pharma & Medicine

Our focus is particularly on health sector.

Once the government uses delegated legislation to mandate apps for cybersecurity, similar logic could be applied to:

  • e-prescription apps
  • Pharmacovigilance apps
  • Digital health monitoring apps
  • NDPS enforcement tools
  • Telemedicine compliance apps

The Sanchar Saathi episode acts as a precedent in principle—even without a judgment:

The State cannot compel installation of regulatory apps on personal devices without explicit legislation, strong safeguards, and demonstrable necessity.

This is crucial for future health-tech governance.

**XI. Conclusion:

India Must Resist the Temptation of “App-Driven Governance” Without Constitutional Guardrails**

The Sanchar Saathi mandate was a constitutional misadventure, but its rollback was a constitutional triumph.

It marks a reaffirmation of:

  • Privacy as a fundamental right
  • Device autonomy as part of personal liberty
  • Limits on delegated legislation
  • A maturing digital constitutionalism in India

As India expands into national digital infrastructures—Digital Health Mission, DPDP Act implementation, AI regulation, telecom reform—it must avoid shortcuts like compulsory apps.

The path forward is clear:

  • If the State wants a nation-wide security tool, it must enact a specific law,
  • justify its necessity,
  • conduct privacy-impact assessments,
  • build technological safeguards, and
  • uphold autonomy.

Our smartphones belong to us, not to the State.
The Constitution demands nothing less.

Evolving Regime of Information Technology & Cyber Law: Insights from Dr. Mahendra Limaye’s Webinar at BASL Nagpur

by

Introduction

On November 8, 2025, Dr. Babasaheb Ambedkar School of Law (BASL), Nagpur, under Rashtrasant Tukadoji Maharaj Nagpur University (RTMNU), hosted a webinar on “Evolving Regime of Information Technology & Cyber Law” featuring Dr. Mahendra Limaye, Advocate and techno-law specialist. The session was organized under the guidance of Smt. Rutunja Bhelave and Shri. Ankit A. Shripatwar, Program Coordinators, BASL.

The webinar aimed to introduce law students to the growing importance of cyber law in a digital society increasingly dependent on technology and data.

Key Highlights from the Session

  1. Understanding the IT Act, 2000
    Dr. Limaye traced the origin of India’s Information Technology Act, 2000 — one of the earliest legislations based on the UNCITRAL Model Law on E-Commerce. Initially enacted to support e-commerce and online communication, it has evolved to cover cybercrimes, digital signatures, and data protection.

  2. Core Definitions and Concepts
    He emphasized key terms under Section 2, including computer, computer network, computer system, and intermediary, explaining their crucial role in understanding liabilities under cyber law.

  3. Digital Signatures and Hash Functions (Sections 3–42)
    Explaining encryption and decryption using public–private key mechanisms, he compared it to a bank locker system, helping students visualize how digital signatures authenticate and secure electronic communication.

  4. Civil and Criminal Liabilities (Sections 43 & 66)
    The webinar clarified how Section 43 deals with civil wrongs like unauthorized access, data theft, or introducing viruses, while Section 66 criminalizes the same acts when done dishonestly or fraudulently.

  5. Repeal of Section 66A
    Dr. Limaye discussed the landmark Shreya Singhal v. Union of India case, which struck down Section 66A as unconstitutional for violating free speech.

  6. Adjudicating Authorities and Jurisdiction (Section 46)
    Civil disputes under the IT Act are adjudicated by designated IT Secretaries of each State, not regular civil courts. Appeals lie before TDSAT, then High Courts, and finally the Supreme Court.

  7. Emerging Relevance of the Digital Personal Data Protection Act, 2023
    With the repeal of Section 43A, the new Data Protection Act introduces a comprehensive legal framework for safeguarding personal data and user consent — a vital area for future legal professionals.

  8. Cyber Crimes & Offenses (Sections 65–67F)
    He explained cybercrimes such as source code tampering, identity theft, cyber terrorism, and online obscenity, citing the severity of punishments ranging from 3 years to life imprisonment.

  9. Advice for Law Students
    Dr. Limaye urged students to treat cyber law as an emerging and high-demand field, combining legal knowledge with technological awareness. He advised building early familiarity with current judgments, NCRB data, and RBI’s Zero Liability Circular for digital frauds.

Conclusion

The session concluded with an interactive Q&A, where Dr. Limaye answered questions on digital signatures, data privacy, and cybercrime reporting through helpline 1930. His practical insights bridged the gap between statutory law and real-world application, inspiring students to explore techno-law as a professional path.

About the sepaker

Adv. (Dr.) Mahendra Limaye is a techno-legal cyber law expert (Ph.D.) and FDPPI-certified data privacy professional. He heads the Cyber Awareness Organisation, advises government and private bodies on IT Act, DPDP 2023, GDPR/CCPA compliance, and appears before Adjudicating Officers, district courts, and High Courts in cyber and IPR matters.