EU Justice Department stalls India's security clearance

Without a 'data secure destination' cert India's locked out of $30bn euro-sourcing market


India’s outsourcing giants are likely to face more delays in their frustrated bid to tap a potential IT services market worth $30 billion, after a report emerged suggesting the EU still has big data security concerns with the country.

The EU and India have been trying to finalise their Broad-based Trade and Investment Agreement since 2006, with the goal of breaking down trade barriers, but progress in the past few months has been slow, according to The Hindu.

One of New Delhi’s major requests as part of the deal is for the country to be recognised as a “data secure destination”, an accreditation which could increase the country’s outsourcing revenue from the EU from $20bn to $50bn, according to Nasscom’s Data Security Council of India.

Although the EU Justice Department’s study into India’s data protection regime has not yet been completed, mutterings suggest it has identified significant gaps in local laws which could require time-consuming legislative amendments.

“The recent communication from the EU Justice Department is worrying for us as it indicates that the EU is not willing to offer us data secure status till we make changes in our systems. This could take a long time as it may also require legislative changes,” a Commerce Department official told The Hindu.

“It is very clear that the EU is not in any hurry to give us data secure status. This would hamper the trade talks further.”

The thorough audit demanded by the EU would seem appropriate given the data breaches at Indian IT services firms periodically come to light.

For example, news broke a year ago that corrupt staff in local call centres were systematically selling on the personal details of millions of British customers.

It’s a problem which was highlighted in February by prime minister David Cameron, who during a trade visit to India signed a deal promising “an unprecedented level of co-operation with India on security issues”.

The joint task force which will be set up between the two countries will see the UK share its expertise in tackling data security with India in order to better secure the increasing amount of data stored on servers in the sub-continent. ®

Similar topics

Broader topics


Other stories you might like

  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • BSA kicks multiple holes in India's infosec reporting rules
    Strongly suggests extensive re-writes and consultation - backed up by Microsoft, Intel, AWS, and friends

    Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation.

    The BSA has already co-signed another letter that eleven tech and finance lobby groups sent to India's government, which requests changes to requirements such as extensive logging of user activities and reporting of even trivial infosec incidents within six hours of detection. That multi-party letter states that these rules will harm the nation's economy by discouraging foreign investment.

    The Alliance's own document [PDF] raises issues not addressed in the multi-party letter – such as an argument that requiring cloud providers to supply logs of customers' activities is futile as clouds don't log what goes on inside resources rented by their customers.

    Continue reading

Biting the hand that feeds IT © 1998–2022