Explained! Why are IT companies opposed to India’s new cyber rules?
In India, tech firms say the new cyber rules risk creating an ‘environment of fear’
The Internet and Mobile Association of India (IAMAI), which represents big tech firms including Facebook, Google and Reliance, wrote this week to India’s IT ministry, criticising a directive on cybersecurity set out in April 2022.
The new Indian cyber security rules, due to come into force by the end of June 2022, will create an “environment of fear rather than trust”, according to IAMAI.
The body has informed the government that the concerned companies would need some more time in order to be fully compliant with the new laws, therefore asking for a one-year delay before the rules take effect.
India’s new cybersecurity directives
The Indian Computer Emergency Response Team (CERT-In) issued a circular to government and business entities on April 28, 2022, including cybersecurity guidelines and requiring the reporting of cybersecurity events. On June 27, 2022, the new rules will take effect.
The earlier CERT-In regulations from 2013 did not specify a time limit for reporting cyber-security issues; instead, they just required reporting within a reasonable time period.
The 2022 CERT-In rules, on the other hand, tighten this requirement by requiring cyber security breaches to be reported within six hours of being detected.
They also required cloud service providers like Amazon and virtual private network (VPN) providers to keep client identities and IP addresses for at least five years after they cease using their services.
New rules mean more costs, burden
In recent years, India has increased oversight of giant digital businesses, causing industry backlash and, in certain circumstances, damaging trade ties between New Delhi and Washington.
Similarly, business worries about an increasing compliance load and increased expenses have been expressed in response to the new cybersecurity measures.
The burden of complying with such guidelines might be enormous, and the anticipated penalties for violations, which include prison time, could force businesses to leave India.
The rules have also caused widespread discontent as many social media and tech company executives discussed strategies to urge New Delhi to put the rules on hold.
However, the Centre has said the new rules were needed as cybersecurity incidents were reported regularly but the requisite information was not always readily available from the service providers.
Many companies already leaving India
ExpressVPN was the first virtual private network service provider to reject the new regulations imposed by the Indian government and relocate its servers outside of the country.
The company said that it refuses to collaborate in the Indian government’s attempt to curtail internet freedom, according to a blog post published on June 2.
It claims, however, that the shutdown of its India servers would have no effect on consumers. Users will be able to connect to VPN servers that will provide them with Indian IP addresses and allow them to access the internet as if they were in India, according to the company.
Nord VPN, one of the world’s largest VPN providers, has also said it may remove its servers from India.
Last month, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology said that VPN service providers that are unable to comply with the new cyber security rules of the country would be forced to leave India.
It is in place to mention here that CERT-In is the nodal agency for regulating cyber security as per provisions of Section 70B of the Information Technology Act, 2000 (IT Act).
The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and government organization.
