SUMMARY
IAMAI has reportedly sent a letter to the IT ministry this week, criticising one of the directives in the government’s new cyber security rules introduced in April
IAMAI has reportedly proposed to extend the six-hour window for reporting cyber incidents citing the global standard of 72 hours
IAMAI was not immediately available to confirm the report to Inc42
The Internet and Mobile Association of India (IAMAI), the industry body representing companies such as Google, Meta (formerly Facebook), and Reliance, has reportedly sent a letter to the IT ministry this week, criticising one of the directives in the government’s new cyber security rules introduced in April.
The new direction that would be in effect from June 27 will create an “environment of fear rather than trust”, IAMAI has warned the government, asking for delaying it by a year, as reported by Reuters.
India’s Computer Emergency Response Team (CERT-In), monitored by the Ministry of Electronics and Information Technology (MeitY), introduced the new directions around cyber security on April 28, mandating all private Virtual Private Network (VPN) service providers, cloud service providers and more such organisations to collect their user data and store them for five years or more.
In the new CERT-In rules, there is another direction that requires the tech companies to report any cyber incidents within six hours of noticing the breaches.
In its letter to the ministry, IAMAI has reportedly proposed to extend the six-hour window and noted that the global standard for reporting cyber security incidents is generally 72 hours.
The cost of complying with such directives could be ‘massive’, and proposed penalties for violation including prison would lead to “entities ceasing operations in India for fear of running afoul,” the IAMAI letter said, as per the report.
IAMAI was not immediately available to confirm the same to Inc42.
Earlier, several legal experts have spoken against the new rules calling them detrimental to user privacy and data protection.
Besides, the latest IAMAI letter to the government follows one from 11 significant tech-aligned industry associations that said the new requirements would make it difficult to do business in India, earlier this week.
There were reports on May 28 that a host of global business associations including the US Chamber of Commerce, the US-India Business Council, the US-India Strategic Partnership Forum, techUK, and others, have expressed concerns over the new directions in a letter to Sanjay Bahl, the director general of CERT-In.
As a step to maintain its stringent no-log policy, ExpressVPN announced removing its India-based servers this week.
“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” wrote the foreign VPN service provider in a blogpost.
On the other hand, another VPN service provider NordVPN has been mulling India exit plans since the directives were first introduced.
“If the current Indian government’s position will not change in the next couple of weeks, we will remove our servers as there will be no other way to stay in India while preserving the privacy of our customers and integrity of our service,” Laura Tyrylyte, head of public relations at Nord Security said in her latest email to Inc42.
“That said, we don’t see any reason to remove our infrastructure earlier than necessary,” she added.
Despite criticisms from varied legal and industry bodies, and companies planning to leave India, the government has maintained its stance of putting the new directives into effect.
To that end, Minister of State for Electronics and IT Rajeev Chandrasekhar made it clear in May that VPN service providers have the option of either following the latest directions or terminating their businesses in India.
