The Joint Parliamentary Committee has included the regulation of hardware in the new data protection bill. This may be the first time for the data protection bill to bring hardware devices regulation into its fold. The objective is to regulate hardware devices that are collecting personal data. This is attributed to the ongoing threats, in terms of hardware security, to India from China.
Kazim Rizvi, the founder of The Dialogue – a think tank, during a Twitter Space event with MyBigPlunge on “Data Protection Bill Hardware Regulations And Cross-Border Data Flow”, acknowledged that the threat from China and other countries is very much real. “The parliamentary committee was cognizant of taking such steps which can increase India’s national security and improve, you know the protection of hardware which is being used in India while at the same time also having certain testing which is done to ensure that the hardware meets the prescribed norms required by the government.”
Rizvi underlines this is the first time that a data protection bill is talking about regulating hardware devices with respect to the information. “This has not been done in the past two versions when the Supreme Court came up with the judgment 2017. The objective was to regulate privacy and regulate data protection for the people of India. But this particular clauses, looking at more from a national security perspective.”
He highlighted that crediting testing agencies should ideally be kept separate from the agency that conducts the audit. “Now this is probably away in which you could proceed, by which I mean that you leave the accrediting and the certification to, let’s say a TCR under DOT who are familiar with it on the technical side and you have the wherewithal to handle it.
Moreover, you have the telecom service providers that have to mandatorily connect the networks on devices that are designated as trusted products from trusted sources as investors under the National Security Directive on Telecommunication Sector. So the point here is that there is an existing set of regulations which are regulating hardware. Now you’re coming through a data protection bill you are trying to do the same objective where the idea for a date prediction. Bill is to protect user privacy. So will there be regulatory overlaps?”
Rizvi noted that this is a broader mandate of the government. “I do believe that there is increasing threat from adversary nations across the border when it comes to importing imports of hardware. So definitely we need to have strong mechanisms when it comes to protecting hardware and using those devices which have prescribed levels. Of security testing, which has been done on those devices as mandated by the appropriate government, but whether the PDP bill is the right bill to do that or whether the existing relations are enough to achieve it.”
Lloyd Mathias, a business leader, Angel Investor, and advisor, on his part, believes it’s about protecting India beyond the limit. “One is of course the whole personal data and you know innocence nonpersonal data and at one level what you are saying, it’s impossible to distinguish between personal data and non-personal data. Second is the fact that a lot of hardware devices and if you look at you know the entire gamut of electronic products. Smart watch, smart cameras tracking device is best. Siri BTS best are stations for telecom networks. Almost the bulk of them.”
Also Read: India and Australia condemn use of cyberspace to shake international peace
The government had appointed an expert committee, headed by former Supreme Court judge Justice BN Srikrishna, to draft a Personal Data Protection Bill (PDPB). This was to ensure the growth of the digital economy while keeping the personal data of citizens secure and protected.
One of the recommendations made by the special committee was the testing and certification of hardware devices. There is no coverage for hardware devices involved in personal data collection and processing in the PDPB. As such, the committee recommended the government set up dedicated testing labs or facilities and establish mechanisms to provide formal certification of integrity, trustworthiness, and security of hardware and software for all digital and IoT devices.
Pingback: Ashutosh Kaushik is fighting for the “Right to be Forgotten”.