A body representing top tech firms recently wrote to the IT ministry in the Indian government criticizing a directive on cybersecurity set out in April. The body said that the Indian cybersecurity rules that shall come into effect from later this month shall be creating an “environment of fear rather than trust.” The Internet and Mobile Association of India (IAMAI), which represents tech firms including Facebook, Google, and Reliance also called for a one-year delay before the rules could take effect.
As part of the directive from the Indian Computer Emergency Response Team (CERT), tech companies would be required to report data breaches within six hours of noticing any such incident and they are also required to maintain IT and communication logs for six months. The IAMAI proposed to extend the six-hour window, quoting that the global standards for reporting such incidents were seventy-two hours.
As part of the same directive, CERT has also asked cloud service providers such as Amazon and Virtual Private Network (VPN) companies to retain names of their customers and their IP addresses for at least five years, even after they stop using the company’s services. The IAMAI said that the cost of complying with such directives could be “massive” and the proposed penalties for violations which include prison would lead to “entities ceasing operations in India for fear of running afoul.”
Last week, VPN service provider, ExpressVPN removed its servers from India, saying that it “refuses to participate in the Indian government’s attempts to limit internet freedom”.
It is to be noted that India has been trying to tighten regulations of big tech firms in the recent years, which has been met with reluctance and pushback from the industry. The Indian government said that the new cybersecurity rules were very much needed as cybersecurity incidents were reported regularly but the requisite information needed to investigate them was not always readily available from service providers.
