Data Privacy Concerns: Experts Question India’s Cybersecurity Mandate

India’s new cybersecurity regulations have sparked concerns within the telecommunications sector. Under the directives issued by the Ministry of Telecommunications, companies are required to appoint a Chief Communications Security Officer and report cyber incidents within six hours. However, experts highlight numerous challenges associated with implementing these rules.

Legal professionals emphasize that the absence of a clear definition for “data traffic” creates uncertainty regarding the scope of information the government can request. Furthermore, the lack of limits on data retention periods raises concerns about indefinite data accumulation without legislative safeguards, potentially infringing on privacy rights.

Comparisons with international standards also prompt questions. For instance, the United States and the European Union allow a 72-hour window for reporting cyber incidents, significantly longer than India’s six-hour requirement. Experts argue that these demands are overly ambitious and difficult to implement effectively.

Telecommunications companies warn that complying with the new norms will lead to increased operational costs. Over time, these expenses are likely to be passed on to consumers through higher tariffs, with the extent of price hikes varying based on the size of the operator and the current state of their cybersecurity processes.

To mitigate costs, experts recommend leveraging automation and AI-based tools. Companies are also encouraged to collaborate with external consulting firms that possess the necessary expertise and resources to ensure compliance with the new regulations.

Certain aspects of the rules have been criticized for imposing excessive obligations on telecom companies. Legal analysts argue that operators cannot feasibly guarantee the prevention of user misuse, rendering some provisions impractical.

These regulatory changes are driven by the desire to strengthen oversight of a sector that handles sensitive information. However, the lack of clarity in the guidelines and the stringent requirements pose risks to the industry, highlighting the need for refinements to achieve a balanced approach between safeguarding citizens’ rights and ensuring security.