The Indian government is pushing for a new controversial directive that dictates cybersecurity and online privacy regulations that will require businesses to report data breaches within six hours or face sanctions. Last night, during a press conference, the Indian IT Minister said that the country will not reconsider these plans despite the resistance of the country’s technology sector.
IN new directive Calls on technology companies to report data breaches within six hours of the “detection of such incidents” to the Indian Computer Emergency Response Team (CERT-In) and to maintain IT and communication log files for six months.
Cloud computing and VPN services will also need to keep customers’ names and IP addresses for at least five years, even if customers terminate their accounts.
Sanctions for non-compliance with the new regulations can be high. Under the new FAQ, “any service provider, intermediary, data center, legal person or entity” who fails to provide the requested information shall be punishable by a term of imprisonment of up to one year or a fine which you can extend up to 100,000 rupees or both. ‘
IT Minister Rajiev Chandrashekhar told reporters that if technology companies do not want to comply with the CERT-In directive, they may leave India: “If you are a VPN service provider, data center or cloud computing service provider, you need to know who uses your service and for what. “If these rules are not for you, then this place is not for your business,” he said.
The directive will enter into force at the end of June.
Some VPN companies in India think the decision is too vague and too harsh. Proton VPN tweeted that “India’s new VPN regulations are an attack on privacy and threaten to put citizens under the microscope.” NordVPN says it is considering withdrawing its servers from India, while ExpressVPN says it is “fully committed” to protecting the privacy of its users.
Content from our partners
India’s new cybersecurity rules: the geopolitical context
Although ostensibly designed to reflect Western regulations and improve data confidentiality for Indians, the government may have another agenda to pass the legislation, said Emily Taylor, chief executive of cybersecurity company Oxford Information Labs. “India is the largest democracy in the world, and what we have seen in the last few years is a series of legislative and regulatory proposals that look and feel very European, but with a twist,” she said. “There’s a lot more forced background.”
Taylor continues: “He has this mix of democratic-looking laws and authoritarian instincts, or at least the possibility of abuse in an authoritarian way.” The problem is the level of access that the Indian government requires to personal data, she added. “There are no checks and balances around government action that you would expect,” Taylor explained. “So it looks and feels a bit like the GDPR, but then there’s a huge fire of data that needs to be returned to the government and a lot of civil society organizations.”
Smaller companies will not be able to comply with the elements of the directive, said Alexi Drew, a senior analyst at the RAND Europe think tank. This is important as technology start-ups make up a significant tranche of the technology landscape in India. “The type of companies that report are smaller startups, those that come up with new ideas and try to do new things, they tend not to have huge amounts of resources,” Drew said. “The type of strict data retention, reporting and governance structure that India is introducing is likely to be a major obstacle for these types of companies.
This could potentially harm India’s global position in the world of technology. “I think the effect could be that you’re just stifling the potential for Indian innovation, which may have gone in a completely unique and very valuable direction, as well as the growing internationalization of larger pre-established companies,” Drew said.
Will India’s new cybersecurity rules be implemented?
The consequences can be so great that the regulations do not last very long in this form. “I think they will have to face the reality that if they want the benefits of a growing and valuable technology industry, they will have to take things in half,” Drew added. “There will probably be flexibility. It could be in the details, it could be in the report. “
In fact, businesses may choose not to follow the directive at all, said Prateek Wagre, political director at the New Delhi-based Foundation for Internet Freedom. “Depending on how strong the repulsion is, there could potentially be a revision,” he said. “The initial statement does not seem to point in that direction, but by the time the deadline arrives, there may be some additional qualifications.”
“It is unlikely that millions of people will go to prison, but the very fact that it exists will determine the way people act and how they comply.
The new directive will challenge compliance and implementation, he continued. “Many of these things will be difficult to implement unless you have a very complex censorship or filtering infrastructure,” says Waghre. The new CERT-In may not have the budget to offer such complexity. “The distribution of the budget is not commensurate with the amount of responsibility the government places on it. And that’s another question mark, “he added.
Waghre says that whether the directive makes a difference will be reduced to “how much appetite there is to impose it”, adding: “They certainly make a fuss about implementation, but come at the end of June, when should they come into force? We will have to wait and see. “
Read more: Does the UK’s technological future lie in India?