Blog Posts Business Management

Update: NASSCOM-DSCI Discussion Paper on Road Ahead for Encryption in India (Version 1.1)

Blog: NASSCOM Official Blog

Earlier in September 2020, NASSCOM and DSCI released a Discussion Paper on the Road Ahead for Encryption in India. Based on feedback received, we have revised selected portions of the Discussion Paper, and are pleased to release Version 1.1 of the Discussion Paper. The new version, includes corrigenda, and includes information on recent developments such as the issuance of a Joint International Statement by the Governments of United States of America, United Kingdom, Australia, New Zealand, Canada, Japan and India, on “End-to-end Encryption and Public Safety.” The Statement which urges the private sector to work closely with Governments to work towards ways of protecting privacy through encryption, while enabling law enforcement to act swiftly against public safety threats.

While, the Statement leaves room for more clarity, it clearly establishes the Governments’ rejection of the assertion that public safety cannot be protected without compromising privacy or cyber security. To this end, the Statement makes meaningful industry engagement towards mutually agreeable solutions, an absolute imperative.

We look forward to receiving your feedback on the latest version of the Discussion Paper. We request you to kindly share your inputs with .

Executive Summary

Recognising the importance of encryption in data protection and cyber-security applications, the Government passed the Information Technology (Amendment) Act, 2008 (IT Amendment Act) which among other significant amendments, inserted s.84A, empowering the Government to prescribe modes and methods for encryption, to ensure the secure use and promotion of e-governance and e-commerce.

This paved the way for the government release a draft National Encryption Policy in 2015. However, this draft was soon withdrawn owing to significant opposition from cyber security experts and privacy advocacy groups.

Accordingly, the need for a harmonised and over-arching framework for regulating the deployment and use of encryption, as well as the State’s ability to decrypt private communications online, remained unaddressed.

While various subordinate legislation and executive agreements, enforce sector specific norms for the deployment of encryption (for instance, the Reserve Bank of India (RBI) prescribes encryption standards for financial sector data, and the Unified License (UL) prescribes standards of encryption for licensed telecommunications service providers (TSPs)), there is no uniform sector-agnostic framework for the regulation of encryption.

As a result, the extant regulatory framework for encryption and decryption in India, can largely be found under the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act).  The provisions contained therein continue to be the primary avenue of information access by law enforcement agencies (LEA) in India, and issues relating to process safeguards in the process for LEA access to decrypted data, remain. Moreover, with the advent of new communications and social media platforms, and the ubiquity of cloud, LEAs are increasingly facing technological and jurisdictional issues, while seeking access to decrypted information – causing the government to inter alia consider:

in order to secure access to decrypted information. However, some of these proposals might actually go against the State’s competing regulatory objective to protect citizen’s data privacy. Accordingly, any eventual framework would have to carefully balance the competing concerns of privacy and national security.

Internationally, there is no one strategy that has been adopted by jurisdictions towards finding this balance. Jurisdictions such as USA, UK and Australia have passed, or are considering the passage of legislation enabling wide-ranging access to encrypted data to LEAs – including obligations to mandatorily develop capabilities to decrypt information even in situations where encryption keys are not available.

On the other hand, jurisdictions such as France and Germany, have adopted a more pro-encryption stance, by inter alia recognising a general right to encryption, enabling State enabled ethical hacking to enable decryption in certain instances, and considering the introduction of a Vulnerabilities Equities Process.

This, against a backdrop of stronger personal data protection laws being enacted all over the world, including the European Union’s General Data Protection Regulation (GDPR), and the Personal Data Protection Bill, 2019 (PDP Bill) in India, which promote the usage of encryption as a security safeguard towards protecting data subjects’/principals’ privacy.

Given these developments, and recent statements from the Ministry of Electronics and Information Technology (MeitY) indicating an upcoming review of the IT Act, there exists both the urgency, and opportunity to move the debate on encryption forward.

The Discussion Paper provides a brief overview of the legal framework in India, assesses the various approaches that have been adopted or are being contemplated by other jurisdictions, and seeks answers to:

The post Update: NASSCOM-DSCI Discussion Paper on Road Ahead for Encryption in India (Version 1.1) appeared first on NASSCOM Community |The Official Community of Indian IT Industry.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples