Data privacy and cybersecurity in India

Robust requirements to counteract cybersecurity incidents

Introduction

In the last few years, some of the biggest multinational companies (MNCs) have fallen victim to major cyberattacks affecting over a million individuals. While India does not have a dedicated law on cybersecurity at present, the applicable provisions on cybersecurity are somewhat fragmented under the umbrella legislation of Information Technology Act 2000 (IT Act), its rules and across other sectoral laws.

The government of India has appointed the Indian Computer Emergency Response Team (CERT-In) as the national agency for performing functions in the area of cybersecurity under the IT Act. CERT-In has issued a pathbreaking direction on 28 April 2022 (directions). The directions mandate all entities to comply with requirements including time-bound reporting of cybersecurity incidents, synchronisation of all their ICT systems clocks, maintenance of logs of all their ICT systems in India, among other obligations. Additional compliances have been prescribed for specific types of service providers like data centres, virtual private server providers, cloud service providers, virtual private network service providers, and entities in the virtual
assets industry.

What are the major challenges faced by MNCs in complying with the directions?

Many MNCs have expressed practical challenges in ensuring compliance with the directions. Pertinently, concerns have been raised regarding the short ‘six hour’ timeline for reporting of cyber incidents from the time of noticing such incident or being brought to notice about such incident. The six hour window poses significant difficulty, particularly in cases where infrastructure is scattered across the globe and there are time-differences.

Additionally, entities having presence in other jurisdictions have also expressed the challenge in using accurate and standard time source for synchronising their system clocks with the Network Time Protocol Server of National Informatics Centre or National Physical Laboratory. While CERT-In has taken note of these challenges in its FAQs, it has not provided any formal guidance on the issue.

Further, heavy investments are also required to ensure compliance with mandatory storage of ICT system logs for 180 days within Indian jurisdiction. This becomes further difficult as entities may have to map logs relating to their Indian ICT systems. Lack of any specific guidance on this issue adds to the complexity.

What has been the enforcement trend?

Non-compliance with the directions can potentially attract punishment with imprisonment of up to one year or with fine of up to INR₹100,000 (approximately USD$1,300), or with both. That said, the enforcement trends have been low till now.

Now that we are inching closer towards completing one year since the date of issuance of these directions, it will be interesting to see if there are any efforts from CERT-In to strictly enforce compliance by entities despite the practical challenges highlighted by the entities.

The landscape may witness some change with the government’s continued focus on an open, trusted, safe and accountable internet as well as enactment of the Digital India Act in the near future.

India: A case for data privacy reform

Introduction

India’s existing data privacy laws are fragmented across general laws such as the Information Technology Act 2000 (IT Act) read with the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (SPDI Rules). The IT Act is a legislation that was enacted by the Indian government to mainly govern aspects such as cybercrime. In recent times, sectoral regulators such as the Reserve Bank of India have also issued several regulations governing data privacy and protection aspects for entities regulated by them.

Proposed new legislation

On a sector neutral basis, the IT Act and SPDI Rules largely provide for obligations in relation to collecting and processing of sensitive personal data or information in India. However, the same were increasingly found to be inadequate to deal with the growing data privacy concerns of recent times.

The Indian government has been working towards formulating a comprehensive data privacy legislation. After several previous iterations, on 18 November 2022, the Indian government released a draft of the proposed legislation, namely, the Digital Personal Data Protection Bill 2022 (Bill). In this Bill, the Indian government has also a unique approach to ensure that the draft legislation is easy to comprehend by providing a general framework for the provisions, while also leaving room for certain specific details to be determined through future rule-making.

What are some key changes which are expected?

The proposed new Bill aims to significantly revolutionise the legal framework around India’s data privacy laws and provides for specific compliances and associated financial penalties in case of non-adherence. The obligations under the Bill apply to personal data which is collected online and which is collected offline and subsequently digitised. The Bill does not classify personal data into further categories of sensitive or critical personal data.

The Bill provides additional grounds for processing personal data besides ‘consent’, which have been termed as ‘deemed consent’. Further, the Indian government may notify such countries or territories outside India to which entities may transfer personal data, in accordance with such terms and conditions as may be specified. Separately, recent news reports suggest that this ‘white list’ approach may be converted to a ‘black list’ one. Notably, in the context of personal data breaches, the Bill does not identify any threshold, such as risk-based approach, for notifying authorities and affected individuals about personal data breaches. The Bill introduces significant financial penalties for non-compliance with personal data protection requirements, with a maximum penalty of INR₹5,000,000,000 (approximately USD$60m) for significant breaches.

Conclusion

As technology continues to evolve and new risks emerge, it will be important for the Indian government to continue to update and refine India’s existing laws in order to ensure that they remain effective in safeguarding personal data and do not stifle innovation. This trend towards global data privacy regulation is likely to continue, and it underscores the importance of the need for the Indian government to continue to work towards implementing a comprehensive data privacy legislation.