SUMMARY
The new deadline is September 25, 2022, as opposed to the previous deadline of June 28, 2022 (today)
The directives have been contended by data centres who will have to rebuild data infra from the bottom up and by VPNs as they go beyond the core ideology of keeping user data private
While the application of the other directive has been extended, the six-hour norm to report cyber incidents will still be applicable from June 28, 2022
The Indian Computer Emergency Response Team (CERT-In) has extended the deadline for reporting cyber incidents and treatment of private data of users for MSMEs, VPNs and data centres to September 25, 2022.
Since its announcement in late-April 2022, the Cybersecurity Directives outlining the cyber incidents reporting and treatment norms of VPNs have been a subject of debate. Previously, the deadline for the same was 60 days from April 28, 2022 [i.e June 28, 2022 (today)].
In a note shared on its website, CERT-In stated that the IT ministry and CERT-In received requests for the extension of timelines for implementation of these Cybersecurity Directions, especially from MSMEs. On the other hand, data centres, VPS, cloud service providers and VPNs also sought additional time to implement the mechanism for validation of subscribers and their customers.
Thus, to enable MSMEs to build the capacity required for the implementation of the cybersecurity directions and for data centres to build and implement validation mechanisms, CERT-In approved the extended deadline. Apart from these two categories, all other companies will have to start abiding by the directives.
What Are The Cybersecurity Directives?
The directives primarily state that due to cybersecurity incidents taking place from time to time, companies will have to report breaches within six hours of the incident first coming to their knowledge.
Secondly, it has asked all government bodies and service providers to maintain a log of all Information Communication Technology (ICT) systems within India for 180 days. The contesting part is that data centres and VPNs will also have to store data regarding their clients for a minimum period of five years.
Besides, internet platforms will have to maintain data related to IP addresses, validated addresses, contact numbers and even ownership patterns of companies using these data and VPN services. The order also mandates crypto exchanges to maintain all information related to Know Your Customer (KYC) and financial transactions of its users for five years.
Why This Debate?
The major debating point among VPNs is that asking VPNs to store data goes against the very definition of ‘private networks’. Many experts have raised questions about the legality of the new rules in the absence of a robust data protection law since a lot of journalists, activists and whistleblowers use VPNs for their work to remain anonymous and protect themselves.
In case the data centres keep the data, their privacy is violated. To this, IT minister Rajeev Chandrasekhar has asked VPN service providers either comply with the directions or terminate their businesses in India.
Following the directives, a few VPN service providers said that they would exit India rather than following such a mandate that threatens the basic foundation of VPN – not storing data of users. NordVPN, Surfshark and ExpressVPN have already logged out of India.
While the application of the other directive has been extended, the six-hour norm to report cyber incidents will still be applicable from June 28.
