The Indian government is pressing ahead with a controversial new directive dictating cybersecurity and online privacy regulations, which will mandate businesses to report data breaches within six hours or face sanctions. Last night during a press conference, India’s minister for IT stated that the country won’t be revising these plans despite opposition from the country’s technology sector.
The new directive demands that tech companies report data breaches within six hours of “noticing such incidents” to the Indian Computer Emergency Response Team (CERT-In) and maintain IT and communication logs for six months.
Cloud computing and VPN services will also be required to retain names of customers and their IP addresses for at least five years, even if the customers terminate their accounts.
The penalties for not complying with the new regulations could be high. According to the new FAQ, “any service provider, intermediaries, data centres, corporate body or person” who fails to provide the information called for shall be “punishable with imprisonment for a term which may extend to one year or with a fine that may extend to 100,000 Rupees, or with both”.
The minister for IT, Rajeev Chandrashekhar, explained to reporters that if technology companies do not want to comply with the CERT-In directive, they can leave India: “If you are a VPN service provider, data centre or cloud computing service provider, you need to know who is using your service and for what. If these rules are not for you, then this place is not for your business,” he said.
The directive will come into effect at the end of June.
Some VPN companies in India believe the ruling is too vague and too harsh. Proton VPN tweeted that “new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance”. NordVPN states it is considering pulling its servers out of India, while ExpressVPN says it is “fully committed” to protecting its users’ privacy.
India’s new cybersecurity rules: the geopolitical context
Though ostensibly designed to mirror regulations in the West and improve data privacy for Indians, the government may have another agenda for pushing through this legislation, says Emily Taylor, CEO of cyber intelligence company Oxford Information Labs. “India is the world’s largest democracy, and what we’ve seen over the last few years is a raft of legislative and regulatory proposals that look and feel very EU, but with a twist,” she says. “There’s much more of a coercive backdrop to it.”
Taylor continues: “It has this mix between democratic-looking laws and authoritarian instincts, or at least of the possibility for abuse in an authoritarian way.” The issue is with the level of access the Indian government is demanding to individuals’ data, she adds. “There aren’t the checks and balances around government actions that you would expect,” Taylor explains. “So it looks and feels a bit like GDPR, but then there’s a massive firehose of data that has to go back to the government and many civil society organisations.”
Smaller companies will not be able to comply with elements of the directive, argues Alexi Drew, senior analyst at think tank RAND Europe. This is significant as technology start-ups make up a significant tranche of the tech landscape in India. “The type of companies that count are the smaller start-ups, those that are coming up with new ideas and trying to do new things, they tend to not have huge amounts of resources,” Drew says. “The kind of stringent data retention, reporting and governance structure that India is putting in place is likely to be quite a hindrance for those kinds of companies.”
This could potentially damage India’s global standing in the technology world. “I think the effect might be that you simply see a stifling of potential in terms of Indian innovation that might have gone in an entirely unique and very valuable direction, as well as an increasing internationalisation of larger pre-established companies,” Drew says.
Will India’s new cybersecurity rules be implemented?
The fallout may be so big that the regulations do not last for very long in this form. “I think they’ll need to face the reality that if they want the benefits of a developing and valuable tech industry, they will have to meet things halfway,” Drew adds. “There’s likely to be flex. It might be in the details, it might be in the reporting.”
Indeed, businesses may choose not to follow the directive at all, says Prateek Waghre, policy director at the Internet Freedom Foundation based in New Delhi. “Depending on how strong the pushback is, potentially there could be some revision,” he says. “The initial statement doesn’t seem to point in that direction, but by the time the deadline arrives there could be some further qualifications.”
“It is unlikely that millions of people will go to prison, but just the fact that this exists will shape how people act and how they comply.”
The new directive will present challenges of compliance and enforcement, he continues. “A lot of these things are going to be difficult to enforce unless you have very sophisticated censorship or filtering infrastructure,” Waghre says. The new CERT-In may not have the budget to offer such sophistication. “The budgetary allocation is not commensurate with the amount of responsibility the government is putting on it. And so that’s another question mark,” he adds.
Waghre says whether the directive makes a difference will come down to “how much of an appetite there is to enforce it,” adding: “They’re certainly making noises about enforcement, but come the end of June when they’re supposed to go into effect? We’ll have to wait and see.”