India will release a concept paper on its Data Protection Act within a week seeking stakeholders’ comments as government experts grapple with issues concerning inter-operability, security and privacy of new emerging technologies such as artificial intelligence and cloud computing, said Gulshan Rai, National Cyber Security Coordinator under the Prime Minister's Office.
“We need to define security standards and protocols,” Mr. Rai told delegates at a Internet of Things (IoT) conference here on Thursday. “Government is in the process of evolving a Data Protection Act. There is an expert committee under the chairmanship of Justice Srikrishna, of which I am also a member. The concept paper of the group will be out in a week’s time.”
To keep data of Indians “secure” and “protected” the Ministry of Electronics and Information Technology, on July 31, formed a committee of experts headed by B.N. Srikrishna, a former Supreme Court judge.
The experts, who include members from the government, academia and industry, will identify data protection issues and recommend methods for addressing them. It will also suggest a draft Data Protection Bill.
Technical issues
“There are technical issues such as interoperability, compatibility, privacy, security and adaptability and the cost of implementation. The other issues concern the diplomatic part of it. Also, do we have a international legal framework? How do we interpret the jurisdiction? That is another challenge,” Mr. Rai said.
There are nine billion IoT devices worldwide and by 2020 “we expect almost an increase by factor of three.” Today, the entire turnover of IoT devices is about $150 billion and “we expect it to go up by a factor of four in the next four years,” he said, quoting a report.
The committee’s view was that before the technology was implemented in the smart cities one needs to have a security architecture and framework in place, Mr. Rai said.
“Who will tellus, we did not have any experience. We had some expertise of what the security systems are in the conventional systems. We did not have the experience on smart cities and other technologies. There will be a different sort of technological implementation issues in smart cities and IoT technologies. Those can be in terms of protocols, application programme interface and upgradation software,” he said.
“A whole new world, not only for the development of technology, but for security will also emerge. The investment on device is much lesser as compared to the investment planned on security in both architecture or security application,” Mr. Rai said. A UN Group of Governmental Experts, tasked with examining cyberthreats and making recommendations, was unable to reach a consensus on its final report in June. While previous UN GGE reports remain valid and applicable, though not legally binding, the group’s future is uncertain, according to a statement on the UN website.
Nations may move towards bilateral agreements, a trend which was prevalent in 2015 and 2016, according to the UN.
“When we went to the meeting there were lot of opposition on the attributions,” Mr. Rai said. Ultimately how do you attribute where the crime incident happened? Who is the actor? How do we define attribution? Do we have the inherent right to defend if attack happens? The talks failed.”
“Relationship with industry is important on realising what is the techno-cyber or techno-legal procedure is,” he said. “Today we need a collaboration with the industry because the entire cyber governance involves multiple stakeholders. We need help of stakeholders to build security architecture and cybergovernance architecture. We are looking at whether to be compatible to the European GDPR or the U.S. standard.”
Mr. Rai told the industry to build capacities for training graduates on new technologies by initiating short-term courses which needed to be upgraded from time to time.
“Discussions are on with IIT Delhi and Hyderabad. Practical part will have to come from the industry. We want to set up 10 centres in the next eight to nine months.”
