Pages

3 December 2024

India’s new cyber rules for telecoms come with big privacy risks, experts say


India’s telecommunications regulator has rolled out rules designed to protect the country’s critical infrastructure networks from cyberthreats, but experts warn that the new guidelines have inadequate safeguards for users' fundamental privacy rights.

The regulations, published last week by India’s Department of Telecommunications (DoT), require telecom entities to report cybersecurity incidents within six hours, share user traffic data with cybersecurity authorities and adopt a cybersecurity policy that includes risk management approaches, training, network testing and risk assessment.

Introduced under the landmark Telecom Act, which passed in 2023, the measures represent a significant regulatory step for the industry. Although the final rules incorporate some changes prompted by public consultations, experts say they still need more guardrails for government access to data.

Impact on user privacy

The obligation to provide user data to state authorities raises significant concerns among privacy advocates.

Contrary to the draft version of the rules, which could have allowed authorities to collect the content of people’s messages, the adapted version mainly permits the collection of user metadata. However, this metadata is still considered "extremely sensitive", according to Namrata Maheshwari, senior policy counsel at the digital rights organization Access Now.

“The law lacks clear restrictions on the government’s authority to collect such data, share it with other agencies, or store it without independent oversight,” Maheshwari told Recorded Future News.


No comments:

Post a Comment