Blog Posts Business Management

NASSCOM-DSCI Discussion Paper: The Road Ahead for Encryption in India

Blog: NASSCOM Official Blog

NASSCOM and DSCI are pleased to release their latest Discussion Paper on the Road Ahead for Encryption in India. Using the premise of recent developments relating to personal data protection, cyber-security and prevention of online harms, the Discussion Paper explores possible paths towards a well-balanced regulatory framework for encryption in India – one which balances the needs of individual privacy and State access to communications information.

We trust the industry will find the Discussion Paper to be timely, given that a number of important and concurrent developments have taken place over the past year, materially impacting the manner in which companies use and deploy encryption products. These developments include the increasing threat of large-scale cyber-attacks from both State and non-State actors and consequent scrutiny of Over-the-Top (OTT) applications by the Government, the introduction of the PDP Bill before the Parliament of India, and the ongoing review of the Information Technology Act, 2000 and the proposed amendments to the Information Technology (Intermediaries Guidelines) Rules, 2011.  All of these provide both the urgency and opportunity, to engage and shape the future of encryption and privacy in India.

We request you to kindly share your inputs with before 30 September 2020. We will  be organising an Online Policy Round-Table Discussion to discuss the issues raised in the Discussion Paper in September, 2020. Details of the meeting will be shared with members once the dates are finalised.

Lastly, NASSCOM and DSCI would like to thank the Quantum Hub Consulting, (TQH) for their research support and inputs towards this Discussion Paper.

Executive Summary

Recognising the importance of encryption in data protection and cybersecurity applications, the Government passed the Information Technology (Amendment) Act, 2008 (IT Amendment Act) which among other significant amendments, inserted s.84A, empowering the Government to prescribe modes and methods for encryption, to ensure the secure use and promotion of e-governance and e-commerce.

This paved the way for the government release a draft National Encryption Policy in 2015. However, this draft was soon withdrawn owing to significant opposition from cyber security experts and privacy advocacy groups.

Accordingly, the need for a harmonised and over-arching framework for regulating the deployment and use of encryption, as well as the State’s ability to decrypt private communications online, remained unaddressed.

While various subordinate legislation and executive agreements, enforce sector specific norms for the deployment of encryption (for instance, the Reserve Bank of India (RBI) prescribes encryption standards for financial sector data, and the Unified License (UL) prescribes standards of encryption for licensed telecommunications service providers (TSPs)), there is no uniform sector-agnostic framework for the regulation of encryption.

As a result, the extant regulatory framework for encryption and decryption in India, can largely be found under the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act).  The provisions contained therein continue to be the primary avenue of information access by law enforcement agencies (LEA) in India, and issues relating to process safeguards in the process for LEA access to decrypted data, remain. Moreover, with the advent of new communications and social media platforms, and the ubiquity of cloud, LEAs are increasingly facing technological and jurisdictional issues, while seeking access to decrypted information – causing the government to inter alia consider:

in order to secure access to decrypted information. However, some of these proposals might actually go against the State’s competing regulatory objective to protect citizen’s data privacy. Accordingly, any eventual framework would have to carefully balance the competing concerns of privacy and national security.

Internationally, there is no one strategy that has been adopted by jurisdictions towards finding this balance. Jurisdictions such as USA, UK and Australia have passed, or are considering the passage of legislation enabling wide-ranging access to encrypted data to LEAs – including obligations to mandatorily develop capabilities to decrypt information even in situations where encryption keys are not available.

On the other hand, jurisdictions such as France and Germany, have adopted a more pro-encryption stance, by inter alia recognizing a general right to encryption, enabling State enabled ethical hacking to enable decryption in certain instances, and considering the introduction of a Vulnerabilities Equities Process.

This, against a backdrop of stronger personal data protection laws being enacted all over the world, including the European Union’s General Data Protection Regulation (GDPR), and the Personal Data Protection Bill, 2019 (PDP Bill) in India, which promote the usage of encryption as a security safeguard towards protecting data subjects’/principals’ privacy.

Given these developments, and recent statements from the Ministry of Electronics and Information Technology (MeitY) indicating an upcoming review of the IT Act, there exists both the urgency, and opportunity to move the debate on encryption forward.

The Discussion Paper provides a brief overview of the legal framework in India, assesses the various approaches that have been adopted or are being contemplated by other jurisdictions, and seeks answers to:

The post NASSCOM-DSCI Discussion Paper: The Road Ahead for Encryption in India appeared first on NASSCOM Community |The Official Community of Indian IT Industry.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples