India’s online privacy and freedom of expression are at risk due to new cybersecurity regulations from the Computer Emergency Response Team (CERT-In). These regulations enforce mass surveillance on internet services, threatening privacy, anonymity, and online security. The regulations were implemented without public consultation, with the government claiming they don’t affect citizens. They aim to protect against cybersecurity attacks and maintain public order.
The new regulations impact human rights, particularly privacy and freedom of expression. They enable surveillance and compromise privacy, causing concern among human rights and digital rights defenders. A global NGO coalition has urged CERT–in to withdraw the regulations and consult with human rights and security experts to enhance cybersecurity while protecting human rights.
The regulations require service providers to keep logs of all their internet and communication technology systems within India for 180 days. This raises concerns about government access to excessive user data and compliance with international personal data privacy principles. The regulations also impose data retention obligations, forcing providers to collect customers’ data for at least five years, infringing on the right to privacy and the presumption of innocence.
The regulations also impose stringent cybersecurity reporting requirements and grant CERT-In new powers to order providers to turn over information. This could lead to misuse or abuse of such orders. The regulations also pose a threat to VPNs, which play a crucial role in securing users’ confidential information and communications. If VPNs comply with the regulations, they can no longer offer anonymous internet communications, making VPN users easy targets for state surveillance.