Global Information Technology Frameworks in India

Since 2017, India's information technology landscape has seen several key regulatory, legislative and judicial developments, including most recently a revised draft of the Data Protection Bill, 2021 (DPB).

These developments create a need to design and develop information technology systems, and implement cybersecurity measures, to comply with forthcoming changes.

India's information technology law, which is soon to be overhauled, requires that cybersecurity incidents be mandatorily reported to CERT-In, India's nodal cybersecurity agency.

While this requirement is long-standing, several recent high-profile security incidents (including international data breaches) have been followed by the relevant entities (or their Indian subsidiaries) receiving show-cause notices from CERT-In. Given that non-reporting has material consequences, some of which have been threatened, there is an increased focus on incident reporting in India.

CERT-In also periodically issues advisories on ensuring security of IT infrastructure. Compliance with these advisories, prompt reporting and having in place valid certification under ISO 27001 can stand organisations who receive a show cause notice in good stead. 

Since 2020, geopolitical events and trends have resulted in India's Ministry of Electronics and Information Technology banning over 200 applications in India on grounds that such applications were malicious and were stealing and surreptitiously transmitting users data in an unauthorised manner to servers which have locations outside India.

These bans have been enforced not only against the applications themselves, but also against cloud service providers and content delivery networks which enabled them.

In a limited distribution notification which was subsequently annexed to notifications issued by the Securities and Exchange Board of India, India's security market regulator, CERT-Fin a dedicated computer emergency response team for the financial sector specified several granular requirements surrounding the usage of software as a service (SaaS) solutions for governance, risk and compliance. This included a broadly worded requirement to keep various categories of data within the legal boundaries of India. 

The Reserve Bank of India (RBI) has long prescribed localisation requirements for banking and payments data. These are supported by a detailed audit and certification framework, and non-compliance has been punished by restricting prominent card networks and, recently, a leading payments bank from onboarding new customers.

The Insurance Regulatory and Development Authority of India (IRDAI), India's insurance regulator, has notified data localisation requirements in relation to policies, claims and policyholders' data, and electronic maintenance of core business records and regularly issues audit and inspection observations in this regard. Similar mechanisms exist in relation to telecom data.

Localisation requirements have also been prescribed in relation to a wide range of other data sets, including non-personal data, geospatial data above a prescribed threshold, and data generated from sources such as social media networks, public internet of things (IoT) devices, search engines and e-commerce companies.

The DPB specifies much broader restrictions which cover both cross-border transfers of sensitive personal data (SPD) such as financial and health data, and critical personal data (CPD), which is yet to be defined. SPD can only be sent outside India with explicit consent, pursuant to a contract or intra-group scheme approved by the Data Protection Authority (DPA), or to a permitted jurisdiction or recipient under a data adequacy framework. Copies of SPD are required to be stored in India at all times; CPD cannot be transferred outside India except under very limited circumstances.  

The aforesaid developments, along with increased regulatory and judicial focus around data privacy in India, mean that organisations implementing information technology and security frameworks in India will need to adapt their frameworks for India, at least to some degree. Implementing flexible architecture which is capable of addressing regulatory requirements, including localisation, and relying on compliance as a service may well be the way to go until the relevant frameworks are settled.