India’s Ministry of Electronics and Information Technology (MeitY) is expected to meet VPN players on Friday with technology policy groups, cybersecurity experts and legal experts to review an earlier directive that requires VPN companies to store customer data for five years, and make it mandatory. . Indian companies must report security breaches within six hours.
According to the Economic Times, which broke the story, the meeting could be chaired by State Minister for Electronics and Information Technology Rajiv Chandrasekhar. As of Friday evening, government officials had not confirmed whether the meeting had taken place.
Technology policy groups, including The Dialogue, Access Now, Internet Freedom Foundation, Software Freedom Law Center, India and BSA India, had earlier written to the minister about the directive, which could make it harder for VPNs to operate in India. High compliance pressure on enterprises in India.
In addition to the instructions posted on the website of the Indian Computer Emergency Response Team (CERTI-IN), an FAQ document clarifies that the new rules will not affect enterprise VPN services, without the actual instructions themselves.
“FAQs documents are not legally binding. FAQs also state that it is a ‘developed document’. The fact that the document is not legally binding means that BSA members or any other organization cannot effectively rely on FAQ guidelines. Actions could be harmed, the BSA said in a letter dated May 30, entitled “BSA Concerns over CERT-in Guidelines on Data Protection Practices”.
Companies want clarity in VPN instructions
BSA India also seeks clarification that certain security incidents need to be reported within six hours and has requested the government to extend the reporting time to 72 hours after discovery.
“Based on our experience and research, within the first 24-72 hours of the discovery of a probable event, uncertainty and rapid investigative, control and remedial work are involved. This is an important time, as there is a constant need to respond unexpectedly. As it was discovered, “the letter said.
At least two VPN players, including SurfShark and ExpressVPN, have already announced that they will remove their servers from India in response to a directive issued later this month, April 28. NordVPN further warns that it will remove the physical servers if the instructions are not reversed.
“It’s amazing that a government that claims to be the cheerleader of the tech ecosystem comes up with a policy that reminds us of the regular license raj. Expectations of the processes determine how the North Star controls here at any cost, “said Mishi Chowdhury, a technology lawyer and online civil liberties activist. Chowdhury was also the founder of Software Freedom Law Center, India, which is appealing against the new rules.
The directive is expected to affect consumers as well as enterprises. While privacy advocates fear that the new directive could force VPN companies to store information such as customer names, email addresses, IP addresses, your customer records and financial transactions for five years, the new directive could invade privacy, adding rules that could put pressure on enterprises to agree. Now any cyber security breach must be reported to the Cert-In within six hours.
Copyright © 2022 IDG Communications, Inc.