India–UK Protocol: A practical pact for data, security and AI
From sandboxes to shared APIs, two democracies are stitching governance to engineering
At India Mobile Congress, the talk was less about visions and more about verbs: detect, share, standardise, deploy. The Cybersecurity Summit and a session on UK– India collaboration in future telecoms, felt like a handover from rhetoric to routine. That matters because security succeeds in code and contracts, not slogans. India’s digital footprint is enormous. “Telecom infrastructure supports more than 1.2 billion connections in India and billions more globally, handling enormous volumes of data traffic. AI systems analyse real-time data and historical patterns to foresee potential faults and schedule maintenance proactively,” said Anil Kumar Lahoti, chairman TRAI.
Where the UK fits
The United Kingdom brings a seasoned governance toolkit: incident playbooks, standards bodies and a habit of running live regulatory pilots. That complements India’s scale and appetite for experimentation. Julian Gorman, Head of Asia Pacific, GSMA warned that “Across Asia, scams have become a borderless challenge, eroding consumer trust and undermining digital inclusion.” His prescription was practical — anonymised risk signals routed via APIs to banks and platforms — and that is where UK experience in sandboxing and standards helps make solutions portable across jurisdictions. There was a consensus that sandboxes are the middle ground between law and launch. “Regulatory flexibility and data-sharing sandboxes will be crucial to achieving this,” Gorman added. Sandboxes allow telecom companies, banks and platforms to share anonymised threat data, test detection models and measure outcomes without triggering privacy or liability alarms. If pilot experiments help reduce fraud and respect consent, regulators can scale those patterns into policy rather than legislate first and test later.
Vendors are not merely selling boxes — they are offering operational primitives. Magnus Ewerbring, CTO-APAC at Ericsson, described AI as the network’s nervous system: spotting anomalies, qualifying suppliers and helping standardise secure deployments. “AI increasingly plays a role in all these areas from qualifying suppliers and securing network implementations to detecting anomalies in reallife operations,” he said.
Policy with workable compromise
Law and code don’t always speak the same language. India’s Data Protection framework and the UK’s post-Brexit arrangements don’t align neatly; thorny questions remain about anonymisation thresholds, cross-border liability and lawful sharing. MeitY Secretary, S. Krishnan framed the trade-off differently: “AI will not replace people but subtract friction from the equation and India has provisions in its law to protect the interest of its people.” Sovereignty, he suggested, should be reframed as capability — local compute, sectoral models and governed access — not isolation.
Lt. Gen. Dr S.P. Kochhar, DG, COAI struck a social note, “The most important thing to do is protect us from ourselves. Majority of people fall prey to scams due to lack of awareness.” Technology can surface signals; it cannot teach prudence. That’s why public literacy campaigns, predictable consent mechanisms and clear standards are as vital as any detection model. Ambika Khurana of Vodafone India Ltd. argued the pilots must prove privacy won’t be the casualty of speed: “With India’s increasing scale and digital adoption, the concern around scams is also getting bigger. We are working with TRAI on an interesting pilot and collaborating with RBI and Indian banks to build a robust framework which will foolproof and secure all privacy requirements and streamline consent so that users are empowered in their digital journey.”
The operational blueprint
A plausible India–UK playbook begins to take shape. Telcos detect anomalous patterns and feed anonymised risk signals through standardised APIs. Banks and platforms act on those signals. Regulators observe outcomes in sandboxes and refine rules. Rahul Vatts, Chief Regulatory Officer, Bharati Airtel said, “When we tried to do some of the APIs, we recognised some patterns — like SIM swap, device swap, and OTP manipulation. Most of the operators in India have started implementing those APIs. I think two large operators have already onboarded, and we are ready and, in fact, creating proof of concept with some of the banks right now.” Navin Kumar Singh, National Cybersecurity Coordinator, put it bluntly, “It is crucial to recognise that robust cybersecurity is no longer an option but essential, where even a single vulnerability can expose billions to surveillance, data theft and national security risks. As we move towards 5G and beyond, we must ensure that security and sovereignty are embedded into every layer of our telecom infrastructure.” India and the UK are not signing a grand treaty; they are negotiating APIs, playbooks and test cases.