New cybersecurity laws could increase your mobile data bills
privacy of mobile users amid ambiguity around the nature of consumer data that can be sought by the Centre, senior telecom executives and legal experts said.
They added that the new rules could also throw up implementation challenges as the mandated six-hour timeline to report cybersecurity incidents to the government is a fraction of the time allowed under comparable laws in the US and the European Union (EU).
Leading corporate lawyers, who work closely with India’s top telcos, have flagged concerns around the privacy of consumers of mobile services, saying the notified cybersecurity rules—which empower the government to demand traffic data from telcos—have neither defined ‘traffic data’ nor specified any limitation on the duration for which such data can be stored. This ambiguity in the new rules, they warned, potentially allows private consumer data to be retained indefinitely without any legal or procedural constraints.
Legal experts added that the new regulations, which require a telco to report a cybersecurity incident within six hours to the Centre, are too ambitious, arbitrary and not in sync with global best practices, and accordingly, would face severe implementation challenges.
They have pointed out that even in the US, the Cyber Incident Reporting for Critical Infrastructure Act prescribes a 72-hour timeframe to report cyber incidents. Likewise, Article 33 of the General Data Protection Regulation—applicable in the EU—too allows a 72-hour span to notify personal data breaches.
Artificial
