Indian cybersecurity rules due to come into force will create an "environment of fear rather than trust", a body representing top tech companies has warned the government, calling for a one-year delay before the rules take effect

FREMONT, CA: IAMAI, which represents companies such as Facebook, Google, and Reliance, wrote to India's IT ministry, expressing its dissatisfaction with an April cybersecurity guideline. A new rule issued by the Indian Computer Emergency Response Team (CERT) requires IT companies to report data breaches within six hours of becoming aware of them and to keep IT and communications logs for six months. Reuters reported that the IAMAI called for extending the six-hour timeframe in a letter, adding that the international standard for reporting cyber-security problems is 72 hours. In addition, CERT, part of the Ministry of Information Technology, has ordered that cloud service providers like Amazon and virtual private network (VPN) providers retain the names and IP addresses of their customers for at least five years after they stop using their services.

A statement from IAMAI points out that following such guidelines may be extremely costly, and the suggested penalties for violations may lead entities to stop business in India for fear of being fined. Earlier this week, ExpressVPN pulled its servers out of India, stating that it "refuses to assist the Indian government's efforts to undermine internet freedom. IAMAI's letter follows one issued earlier this week by 11 major tech-aligned sector organizations, which stated that the new restrictions made doing business in India difficult. Recent industry backlash and damaged trade ties between New Delhi and Washington have resulted from India's increasing oversight of giant digital businesses. The new laws are necessary because cybersecurity breaches are frequently reported, but the information needed to investigate them is not always easily available from service providers.

The initiative has raised concerns about a greater compliance burden and higher expenses for the industry. Despite the concerns, India's junior IT minister Rajeev Chandrasekhar claimed there will be no adjustments, claiming that tech companies have a responsibility to know who is using their services. However, the rules have sparked significant dissatisfaction. According to a source with firsthand information, many social media and internet firm leaders discussed methods to persuade New Delhi to postpone the guidelines in a closed-door meeting this week.  European regulators require data breaches to be notified within 72 hours, but reporting occurrences in six hours is challenging. India, on the other hand, is being kind, according to Chandrasekhar, because certain countries require rapid reporting.

The rules are expected to be implemented by the end of June. NordVPN, one of the world's major VPN companies, indicated it may remove its servers from India after they were announced. The laws, according to privacy advocates, are incompatible with the objective of a VPN, which is to protect the identity of persons such as whistleblowers from surveillance.