INDIA Law and Practice Contributed by: Shivalik Chandan, Hardik Choudhary, Dhruv Singh and Arjun Khurana, G&W Legal
mediaries, data centres, body corporates and the government itself to report all cybersecurity incidents to the Indian Computer Emergency Response Team (the “CERT-In”) within six hours of these incidents being noticed. Such cyber - security incidents include a wide variety of occurrences, such as unauthorised access to IT systems, identity theft, data breaches and data leaks. CERT-In has been set up under the IT Act as the national agency for addressing cyberse - curity issues, including collecting information on cybersecurity incidents, providing for emergency measures to deal with them, and co-ordinating responses to them. IT Rules 2021 Cloud service providers may be classified as “intermediaries” under Indian law. To claim inter - mediary safe harbour, they must meet compli - ance obligations under statutes like the IT Rules 2021. Interception, Monitoring and Blocking The Indian government and certain state gov - ernments have powers to demand access to information, decryption and monitoring for pub - lic order, crime prevention, or national security. Blocking orders can also be issued under the IT Act and through subordinate legislation called the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009. India’s banking regulator, the RBI, imposes a number of obligations on Indian banks. Regard - ing storage of payment information, on 6 April 2018, the RBI issued a direction to all banks and payment system operators to store all payment data in systems located in India only, except in the case of cross-border transactions, where a copy of the payment data may also be stored abroad.
Additionally, the Insurance Regulatory and Development Authority of India requires insur - ers to maintain records of policies and claims within India only. Challenges to the Utilisation and Functioning of Cloud and Edge Computing Services The following aspects, in the context of the Indi - an legal landscape, may present challenges to the utilisation and functioning of cloud and edge As stated above, cybersecurity incidents are to be reported to CERT-In within six hours of becoming aware of the incident, and a con - travention of this directive carries with it penal provisions – imprisonment for up to one year, a fine of up to INR10 million (approximately USD116,000), or both. Even though CERT-In has clarified that penalties for contravention will only be imposed in extraordinary cases for wil - ful non-compliance, practically speaking, this has led to a lot of friction between cloud service providers and their customers, which consist of corporations providing services to Indian cus - tomers and processing their personal informa - tion, and has greatly complicated the negotiation of any such agreements. This issue is exacer - bated by the fact that the global standard for data breach notifications (including as set out in the General Data Protection Regulation) requires data breaches to be reported within 72 hours of becoming aware of the breach. computing services. Breach notification In addition to the above, once the DPDPA comes into force, it will require data fiduciaries to give notice of every personal data breach to each affected data subject and the Data Protection Board of India (DPB) without delay after the occurrence of the breach, as well as a detailed
128 CHAMBERS.COM
Powered by FlippingBook