How SIM-based tracking is the next step for logistics in India: Legal landscape, compliance obligations, and strategic edge

The logistics industry in India is undergoing a transformative shift with the integration of SIM-based tracking systems which has been achieved through the deployment of machine-to-machine (M2M) SIMs and embedded eSIMs in vehicle location tracking devices, IoT modules, and driver-issued handsets. This development represents the next evolutionary phase in digital logistics infrastructure. It delivers seamless network continuity, alignment with statutory mandates, and superior tamper resistance compared to traditional GPS or app-dependent systems.

From a legal standpoint, the deployment of SIM‑based tracking systems in India lies at the intersection of three critical domains: (i) Automotive safety mandates under the Central Motor Vehicles Rules and Automotive Industry Standards (AIS‑140), (ii) Telecom Act, 2023 (once notified) and existing Department of Telecommunications (DoT) framework on the usage of embedded SIM for M2M communications, and (iii) Data governance obligations under the Information Technology Act, 2000 and, once the accompanying Rules are notified and the law brought into force, the Digital Personal Data Protection Act, 2023 (DPDP Act).

This article examines how these frameworks interconnect, the compliance architecture they collectively demand, and why SIM-based tracking represents not just a regulatory necessity but a strategic advantage for logistics operators in India.

The adoption of SIM-based tracking marks a decisive move, away from fragmented telematics systems towards a unified, regulated model that integrates automotive safety, telecom infrastructure, and digital accountability. What began as experimental deployments in pilot fleets has now matured into a compliance oriented national framework encompassing passenger transport, freight logistics, and cold chain operations.

From a regulatory standpoint, SIM-based tracking operates at the intersection of three concurrent compliance layers, automotive, telecom, and data protection, each reinforcing the other to ensure both operational safety and legal traceability.

First, under Rule 125H of the Central Motor Vehicles Rules, 1989 (CMVR), specified categories of public service vehicles must be fitted with Vehicle Location Tracking Devices (VLTDs) and emergency buttons that conform to Automotive Industry Standard AIS-140. Enforced by State Transport Departments, this rule ties device fitment to the issuance and renewal of permits and fitness certificates. AIS-140 itself sets rigorous benchmarks for hardware, encryption, GNSS compatibility, and integration with State Transport Monitoring Centres (STMCs), making it the statutory backbone of India’s transport telematics regime.

Telecom compliance forms the second layer. The Telecommunications Act, 2023, together with DoT’s M2M guidelines, establishes a comprehensive legal framework for enterprise connectivity. Every M2M SIM must be issued under enterprise KYC, utilise a 13-digit numbering series, and have consumer features such as voice and SMS disabled unless explicitly required for safety. The use of embedded eSIMs which enable remote provisioning adds a further compliance dimension, mandating secure control over profile management to prevent unauthorised switching or misuse.  Depending on the operator’s configuration, such M2M SIMs may also support multi-network roaming and SMS fallback capabilities, enhancing continuity of data transmission in low-coverage areas. These provisions ensure that each active SIM in a tracking device is lawfully provisioned, traceable, and auditable.

Third, although still evolving, the data governance layer anchors the privacy and accountability principles that govern telematics data. Even before the DPDP Act takes effect, the Information Technology Act, 2000 and Sensitive Personal Data or Information (SPDI) Rules, 2011 already regulate the handling of location data that can identify individual drivers or operators. Once the DPDP Act is enforced, logistics operators will formally assume the role of Data Fiduciaries, bound by obligations of lawful processing, data minimisation, retention limitation, and transparency.

Together, these three layers are converging to form a coherent ecosystem, one where connectivity, safety, and privacy reinforce rather than conflict with each other.

The transition to SIM-based tracking is not simply a technological upgrade but a structural response to India’s maturing regulatory environment. Traditional GPS systems, while useful for visibility, were never built to satisfy layered compliance across transport, telecom, and data protection laws. SIM-based solutions, by contrast, embody compliance by design.

a. Compliance assurance

In vehicles where AIS-140 fitment is mandatory, a SIM-based tracking system offers a verifiable record of legal conformity. Each M2M SIM carries a unique identifier linked to an enterprise subscriber, creating an audit trail that satisfies both transport and telecom regulators. It eliminates the risks associated with consumer SIMs, unauthorised provisioning, unverifiable user identity, and legal exposure under the Telecommunications Act, 2023.

Beyond compliance, such systems enhance evidentiary defensibility. In the event of an accident or regulatory investigation, data transmitted via an authenticated M2M network is inherently more reliable than GPS data from unsecured, app-based devices. Thus, SIM-based tracking is not just a compliance tool; it is a legal safeguard.

b. Operational benefits

Operationally, M2M connectivity ensures continuity of service, with multi-network roaming and SMS fallback maintaining real-time data flow even in low-coverage areas. This improves response time for route deviations or emergencies and supports integration with enterprise fleet-management systems. The result is a system where regulatory compliance and operational resilience coexist, turning legal obligations into measurable performance advantages.

c. Privacy and proportionality

Critically, SIM-based tracking can be configured to uphold privacy and proportionality standards. Operators can limit live tracking to duty hours, define retention periods, and apply anonymisation protocols, ensuring compliance with the Information Technology Act, 2000 and the proportionality test articulated in Indian privacy jurisprudence. Properly implemented, it reflects a privacy-by-design model aligned with forthcoming DPDP norms.

Transport and automotive regulation

Under Rule 125H of the CMVR, the installation of VLTDs and emergency buttons is mandatory in specific vehicle categories, with AIS-140 certification as the governing standard. Compliance extends beyond hardware, covering encrypted data transmission, over-the-air updates, and integration with government monitoring systems. In practice, however, the integration process is implemented at the State level, and real-time linkage with the VAHAN database varies across jurisdictions. Accordingly, fitment data, where integrated, is recorded on VAHAN, linking the device directly to the vehicle’s legal and operational status.

Telecom and SIM regulations

The Telecommunications Act, 2023, coupled with DoT’s M2M framework, governs the provisioning and use of M2M SIMs. Each SIM must be mapped to an authorised enterprise user, restricted from consumer-grade functions, and auditable under DoT’s record-keeping obligations. For eSIMs, remote provisioning and profile management must occur through authorised platforms, ensuring secure control and preventing unauthorised switching. These requirements collectively enforce lawful connectivity, traceability, and telecom-grade security.

In parallel, the processing of telematics and geolocation data invokes India’s emerging privacy regime. Even before the DPDP Act is operational, the IT Act and SPDI Rules require data controllers to adopt “reasonable security practices.” Once the DPDP Act takes effect, logistics operators will be obligated to identify lawful processing grounds (consent or legitimate use), minimise collection frequency, and establish transparent retention and grievance protocols. In practice, this will also necessitate revising data-sharing agreements with telematics vendors to align with fiduciary obligations.

Implementing SIM-based tracking is not a one-time installation exercise, it is an ongoing compliance lifecycle integrating transport certification, telecom provisioning, and data governance.

The process begins with automotive compliance. Each vehicle must be fitted with an AIS-140 certified device, installed by an authorised retrofitter and registered on VAHAN. Operators should maintain logs of device activation, uptime, panic-button functionality, and data relay performance. Regular internal audits ensure that safety obligations are continuously met and verifiable during inspections or renewals.

Simultaneously, telecom compliance must be embedded at the provisioning stage. Every M2M SIM should be enterprise-issued, mapped to a specific asset, and restricted from unauthorised use. For eSIM-based solutions, operators must partner with authorised service providers, enforce profile locks, and maintain provisioning records. Routine reconciliation between SIM inventories and deployed assets is critical, not only to prevent misuse but also to demonstrate due diligence during DoT audits.

Lastly, the third pillar of this roadmap is data governance. As India transitions to the DPDP regime, logistics operators should adopt bilingual privacy notices, define explicit processing purposes, and set clear retention schedules, typically six months for operational data and up to two years for safety logs. Encryption in transit and at rest, role-based access controls, and breach notification protocols must become standard practice. When integrated effectively, these measures transform fragmented compliance obligations into a cohesive governance framework that is both defensible and efficient.

SIM-based tracking represents a structural inflection point in India’s logistics governance. By embedding regulated connectivity at the hardware level, it unites safety, telecom compliance, and data protection within a single operational fabric. For logistics operators, this means the ability to demonstrate statutory compliance under the CMVR and Telecommunications Act, while preparing for the data governance standards envisioned under the DPDP Act.

What makes SIM-based tracking transformative is its dual character, it is both a regulatory necessity and a strategic enabler. It enhances safety oversight, builds a verifiable audit trail of lawful network usage, and embeds privacy-conscious data management. As India’s transport, telecom, and digital frameworks continue to converge, SIM-based tracking will not merely be an upgrade, it will define the new standard for transparency, accountability, and trust in the logistics sector.

About the author: Vishwas Chitwar is a Senior Associate at NovoJuris Legal.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.