In this edition, we bring you the latest on cybersecurity, data privacy, crypto, online gaming and 5G.
The uncertainty of CERT-In guidelines
In April 2022, the Indian Computer Emergency Response Team (CERT-In) released directions for prevention, response and reporting of cyber incidents (Directions), which will be effective from 26 June 2022.
Recap: The Directions will apply essentially to any company with an IT system. They pose compliance challenges as, amongst other things, companies will now need to report cybersecurity incidents within 6 hours, align their systems with Indian time protocols, maintain IT logs and store them in India. Additionally, cloud service providers, data centres, virtual private networks will also be required to collect and store customer details akin to a KYC requirement.
The Directions list cyber-incidents such as spoofing, identity theft, attacks on blockchain, drones, among others. The verdict on whether this list safeguards against emerging threats in a rapidly evolving cyber space is still out. Read Vijayant's views for Medianama on how the Directions differ from global best practices and can create operational challenges.
Government releases clarifications: In line with the recent trend from the IT Ministry, CERT-In released a Frequently Asked Questions (FAQ) document on 18 May 2022. It aims to "explain the nuances" of the Directions but they leave more room for interpretation than a Christopher Nolan movie.
Here are a couple examples:
The FAQs clarify that the 6-hour timeline is applicable only for severe incidents on public information infrastructure, data breaches and leaks, large-scale frequent incidents, and cyber incidents impacting human safety. Further, the IT Ministry has clarified that it wouldn't matter if the incident is reported at the 7th hour. It is only concerned with keeping records of all cybersecurity incidents.
But what is a severe incident anyway? The FAQs do not define what 'severe' or 'large-scale incidents' mean, leaving some room for confusion.
To store, not to store, or to mirror? On the requirement to store IT logs in India- the FAQs say these logs may be stored or transferred outside India, as long as companies are able to share them with CERT-In within a 'reasonable time'. This does not address concerns over localized log-keeping that can disrupt the global nature of cyber incident monitoring and response.
Industry players have expressed more angst with these Directions, than tween girls did when One Direction disbanded and with good reason. They make valid points on how the Directions raise privacy and surveillance concerns, and might make the internet more controlled and monitored.
APEC's cross border data transfer alternative for the world
India's current and proposed data localisation mandates have put a dampener on digital trade/cross-border flow of data conversations with the US. A new forum offers an alternative – the Global Cross Border Privacy Rules (CBPR) Forum.
CBPR 101: The Asia Pacific Economic Cooperation (APEC) CBPR facilitates data transfers across participating APEC member countries through an accountability-based certification system. This means that once the privacy practices of a company are certified, it can transfer data among APEC markets- making it easier to do business.
What's the new Forum about? So far, the CBPR has been limited to APEC members. But, in April 2022, Canada, Japan, the Republic of Korea, Philippines, Singapore, Chinese Taipei, and the US announced the establishment of the Global CBPR Forum. Which seeks to expand the APEC led CBPR initiative beyond APEC economies. This could potentially allow non-APEC members such as India to explore participation. The US has reportedly hinted at including CBPR systems in trade discussions of the Indo-Pacific Economic Framework (IPEF). This is interesting given India's recent entry into the IPEF.
In case you missed it
Stars have aligned for
Satcom operators: The Digital Communications Commission - the highest decision-making body in the Department of Telecommunications (DoT) - has recommended excluding the 27.5-28.5 Ghz band from the 5G spectrum auction. This comes after the Telecom Regulatory Authority of India (TRAI) suggested allocating the band to telecom and satcom operators on a co-existence basis. The 28 Ghz band is a contested commodity between the telecom and satellite industries, with both believing that the band should be allocated for their use to the exclusion of the other. Read our explainer on the debate over the 28 Ghz band in India here, and TRAI's recommendation on 5G, here. The DoT will decide the fate of TRAI's recommendations.
Mercury is in retrograde for
Cryptocurrencies: The Goods and Services Tax (GST) Council is considering a 28% GST on crypto transactions. The GST Council is examining various aspects of cryptocurrencies - transactions involving crypto, their use to make purchases, and their receipt as payments. Currently, the sale of cryptocurrencies from foreign exchanges to Indian residents (an activity all Indian exchanges reportedly indulge in) is classified as an intermediary service and taxed at 18%.
Online gaming: A Group of Ministers (GoM) looking into GST issues for online gaming is in the process of proposing a 28% GST on online games, casinos, and race courses. There are conflicting reports on the 'base' or point at which GST will be levied on online gaming platforms. It could be either on the initial betting amount, or gross gaming revenue. Reportedly, the GoM is not in favour of levying GST of 28% on every bet made. And will soon submit its report to the finance minister of India. Meanwhile, the industry is concerned of the repercussions of the revised tax and has suggested retaining the current 18% slab.
What are we reading this month?
- European Data Protection Supervisor has announced that it will publicly pilot its own social network platforms
- This man brought his imaginary childhood friend back to life using AI: A twitter thread
- Feast your eyes on the first image of the black hole at the center of our Milky Way
- Apple discontinues the iPod after 20 years!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
