Cybersecurity and Data Protection Regulations in IndiaCybersecurity and Data Protection Regulations in India


August 18, 2022



Min Read

Cybersecurity and Data Protection Regulations in India

This is an external post, click the button below to view.
View Post

If you’ve been following our blog posts, you’re already familiar with the topic of cybersecurity and data protection regulations and how they impact original equipment manufacturers (OEMs) in the automotive industry. We’ve looked at how manufacturers can prepare to comply with China’s OTA Regulations, as well as the array of different data privacy and cybersecurity regulations in Latin America. In this article, we will explore the country that supports one of the largest automotive markets in the world: India. 

According to Fortune Business Insight, India accounts for 40% of global two-wheeler sales and 77% of bike production. Of course, these numbers don’t even touch on three-wheeler and passenger vehicle sales. Similar to other countries, India has seen a significant shift toward connected vehicle solutions and with it an increased risk of cyber breaches and attacks. In response, the government is actively working to enhance existing cybersecurity and data protection regulations, as well as adopt new measures. 

To avoid delays in sales and vehicle distribution, OEMs active in India’s automotive market will need to ensure that their connected vehicle solutions are fully compliant with all past and future regulatory requirements. Of course, the first step to compliance is understanding those standards.  

The Information Technology Act 

India guarantees a person’s right to privacy under the Information Technology (IT) Act of 2000. The original act focused on protecting personal information during online activities and transactions through the use of legal recognition practices. However, it was severely lacking when it came to addressing the concerns and violations associated with cyber crimes. In 2011, the Information Technology Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules (2011 Rules) were added as a supplement to the original IT Act under Section 43A. 

Section 43A requires corporations to possess and maintain reasonable security practices when storing, transferring, or handling sensitive and personal data. If the company or data handler fails to protect this data, either through negligence or inadequate protection measures, they are liable for compensating the affected parties for any potential damages. 

Rule 3 of the 2011 Rules outlines the different types of sensitive personal data. 

  • Passwords
  • Bank or financial information
  • Medical records
  • Sexual orientation 
  • Mental, physical, and psychological health
  • Biometric information

It also confirms the protection of any data provided for the purpose of receiving services or for legal proceedings or contracts. It does not, however, protect information that is publically available or included under the Right to Information Act of 2005.

Other rules listed in the 2011 Rules expand data protection rights. One rule requires any entity collecting, storing, transferring, or utilizing data to have a clear privacy policy and make this available upon request. Consent of the data subject must be received prior to collection and may be withdrawn at any time. Exemptions to consent include legal purposes, such as compliance with a legal obligation or a written request from a government agency to investigate potential criminal offenses. In addition, the data processor must not retain data longer than is necessary to fulfill the data’s intended purpose and must maintain comprehensive documentation and adequate security practices to ensure protection during collection, storage, processing, and disposal.  

Data transfers within India and abroad are permitted when necessary and when consent is given so long as the receiving entity or country has a level of security equal to or greater than that outlined in the 2011 Rules. The Ministry of Electronics and Information Technology is the party responsible for overseeing adherence to the IT Act, issuing new rules, and offering clarification. 

As of June 2022, the India Computer Emergency Response Team (CERT-In) added measures to supplement the IT Act data protection requirements. Data processors must maintain records for 180 days, report any breach within 6 hours, and have an assigned point of contact within their organization. Along with issuing new guidelines, CERT-In works to collect and analyze information regarding cybersecurity breaches, predict the possibility of an incident, and enact and coordinate emergency measures to address incidents. 

Personal Data Protection Bill

Although the IT Act provides quite specific guidelines for data protection, the proposed Personal Data Protection Bill (PDPB) of 2019 was intended as a full-scale overhaul of India’s data protection policies. If passed, it will be the first law in India that focuses exclusively on data protection and privacy. Some of the requirements include: 

  • Notice and prior consent for the use of individual data.
  • Limitations on the types of data collected and processed
  • Restrictions that ensure the collection of relevant and necessary data only
  • Data localization requirements
  • Mandates for the appointment of data protection officers within organizations
  • Establishment of the Data Protection Authority of India (DPA) to protect and regulate the use of citizens’ personal data.

In addition to these requirements, the joint parliamentary committee will set implementation deadlines, such as having the DPA active within six months and full compliance with PDPB provisions within 24 months. 

The PDPB possesses a lot of similarities with the IT Act, such as requirements for consent and maintenance of threat mitigation and response mechanisms. However, it also addresses some gray areas. PDPB requires all digital and IoT device hardware manufacturers to have a verification mechanism to mitigate breaches and expands the scope of data protection to include non-personal data as well.  

The only trouble with PDPB is that it is not a law. It is still undergoing review and revision. Even so, automakers would be wise to prepare for compliance to avoid any delays or complications when it does take effect. 

IS 17428 

PDPB might be on pause, but that didn’t stop the Bureau of Indian Standards from mandating IS 17428 in 2021. IS 17428 has two parts. The first outlines mandatory requirements for the establishment, implementation, and maintenance of a data privacy management system. The second provides optional engineering and management guidelines and processes to help data handlers comply with part one. Many of these requirements mirror those found in the IT Act, but also emphasize certain best practices such as the establishment of a Data Privacy Management System (DPMS), a Privacy Risk and Incident Management methodology, and the implementation of regular audits. 

Comparison to International Regulations

India is consistently working to align its data protection and cybersecurity laws with international best practices, particularly those of the European Union. The government has avoided the passing of localized legislation that could impact international trade relations and instead place its focus on regulation modeling and harmonization. The requirements within the PDPB, for instance, are very similar to those found in the EU General Data Protection Regulation (GDPR). As a result, companies who comply with GDPR will be well prepared once PDPB goes into effect. There are however a few key differences to note. 

Unlike GDPR, where each member state appoints an independent, public official as a data protection officer, PDPB grants the Indian government sole responsibility for such appointments. PDPB mandates that all “significant” data processors undergo a yearly audit of data handling processes and security best practices, as well as the creation of a privacy sandbox, or a separate set of standards, for companies dealing in AI, machine learning, and other disruptive technologies. Finally, under PDPB citizens do not have the right to data profiling, something they are entitled to in both GDPR and the UK’s Data Protection Act

Other comparable legislation includes the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29). Although India is a signatory to the UN 1998 Agreements, they have yet to become a signatory of the 1958 Agreements, which means they are not obliged to comply with WP.29 R155 and R156. Regulation 155 outlines requirements for the development and implementation of a Cybersecurity Management System (CSMS) to mitigate cybersecurity risks and breaches. Meanwhile, Regulation 156 dictates standards for Software Update Management Systems (SUMS), a topic of particular import in the connected vehicle sector. The Indian government has not failed to notice the need for more intense regulation in the realm of CSMS and SUMS, which is why India’s Automotive Industry Standards Committee is currently considering two new policies that mirror the requirements outlined in WP.29 R155 and R156. In addition, there has been some discussion about becoming a signatory of the UN 1958 Agreement. 

It is also pertinent to note that India is a member body of the International Organization for Standardization (ISO) and therefore adheres to ISO data protection and cybersecurity requirements, including ISO 27001 and ISO 27701. 

Easing Global Compliance

No automaker likes delays. Delays impact profit, brand image, and marketability. Instead of waiting for an international regulation to catch up, manufacturers need to ensure their connected vehicle solutions are ahead of the game. 

With Sibros’ Deep Connected Platform (DCP), OEMs can rest easy knowing that their over-the-air (OTA) update and data management solution is safe, secure, and reliable on an international level. DCP is an out-of-the-box solution that seamlessly integrates with any vehicle architecture to provide millisecond-level data, vehicle-wide OTA updates, remote commands, deep diagnostics, and more. 

Sibros’ time-proven connected vehicle solution has already been adopted by one of India’s largest two-wheeler automakers and other disruptive OEMs around the world. Ready to unlock hundreds of connected vehicle use cases? Contact us today

Amber Parle
Amber Parle
Amber is a Field Marketing Manager at Sibros with over ten years of writing and blog content experience. She is a University of California at Davis graduate and an avid world traveler.