There was no need to hold public consultations before releasing the cybersecurity directive because the aam aadmi (common man) is not impacted by it, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, said on May 18 while releasing the FAQs document for the cybersecurity directive.
Ironically, just a few minutes before making this comment, Chandrasekhar praised the IT Ministry’s open approach to consultations:
“Two broad things are becoming signature practices of our Ministry. One is that as we create legislation and rules, we will undertake public consultations before we finalize those and then follow those rules or directions or legislation with easy to understand and easy to comprehend FAQs that go to explain what the logic is, how the rules or legislation or directions are operationalized, and what the end outcome and objective of these changes are.” (emphasis ours)
What is the cybersecurity directive? The Indian Computer Emergency Response Team (CERT-In), which falls under the IT Ministry, on April 28 issued a new directive covering aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers. Cybersecurity experts, VPN providers, and tech companies have all criticised the directive for a long list of reasons including that public consultations were not held prior to the release of the directive.
Industry stakeholders were consulted: IT Ministry
In the FAQs document, the IT Ministry said that consultations with the industry and government organisations were held from time to time, based upon which the draft directions were framed, and subsequently, CERT-In held a stakeholder consultation in March 2022 towards the finalisation of the directions.
Echoing the same thoughts, Chandrasekhar on Wednesday said:
“Cyber security directions are not [for] public consultation. It is to do with the data centres. It is to do with cloud providers. So there was consultation with those people who actually run the relevant infrastructure, those who are impacted by this. There’s no need for us to go to a consultation on cybersecurity directions with, let us say, aam admi, because he’s not coming under this. He’s not covered by this. This is all enterprises and companies and entities that are covered by this.”
It is not clear who participated in the stakeholder consultations, but sources told us that the Data Security Council of India (DSCI), Google, Amazon, and Microsoft were among the participants. MediaNama had reached out to some stakeholders (Google, Amazon Web Services, Microsoft) asking if they were consulted and what was their feedback, to which Microsoft responded by saying that they had no comment to make, while the other two companies are yet to respond.
RBI did no public consultation regarding recurring payments. Market suffered. Ditto data localisation.
CERT-in didnt reg cybersecurity directions. Market is going to suffer.
MEITY did no public consultation re regulation of streaming services & online news.
— Nikhil Pahwa (@nixxin) May 20, 2022
- FAQs On Cybersecurity Directive Adds Fresh Concerns
- VPN Providers Call India’s New Rules Worse Than China, Russia
- Why India’s New Cybersecurity Directive Is A Bad Joke
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
Have something to add? Post your comment and gift someone a MediaNama subscription.