The conditions on how data is to be classified have been clearly defined, but further information is needed on the technical specifications or gateways at which this classification will take place, said Vishak Raman, director, security business, Cisco India and SAARC.
“Where the Bill needs to add more clarity is the technical controls – you classify the data, but how do you do it? You do it at a proxy (level), at the firewall, at your Cloud or during file submission, at the DNS security or at email security?” Raman pointed out.
“The government is doing a fantastic job of classification, but how do you control it and how do you report a breach? The government has the knowledge and technical capability to classify it, we just need to add little bit of technical control points so that the law is well interpreted and implemented,” he added.
Technology companies represented by industry lobby groups had earlier flagged concerns, including how the Bill enabled the government to direct data fiduciaries or data processors to share anonymised data or non-personal data with it.
The purpose of the shared data is to facilitate targeted delivery of services and for policy formulation, according to the Bill.
Technology companies are seeking further clarity on what processes should be in place when the government requires access to non-personal customer data, said Rohini Srivathsa, National Technology Officer and Strategy Lead, Microsoft India.
The company itself is seeking to clarify the conditions and safeguards under which data would be localized, she said.
“We, as part of industry forums, have given not just our view, but what is right for the country, because we can say as much as we want that the data is in a data centre, but if you have not thought about cybersecurity, it doesn’t matter,” she said.
Industry has also raised concerns over data localization and around the competitiveness of Indian businesses, Srivathsa said. “What about startups from India who want to access the global market? Let’s say there is a fintech company that wants to provide services in Europe. The way consumer experience now is, even a few nanoseconds of delay or latency in an app — and people don’t use it.”
Analysts said that a minor delay is inevitable if the application of a security process is in local datacentres or ‘cloud regions’.
“As customers move workloads to the cloud, they have to protect and secure those workloads with encryption and other security tools. This typically adds a bit of latency (of a few microseconds) – but it’s a fair trade off,” said Arun Chandrasekaran, distinguished VP, analyst, Gartner.
Prasad Rai, country head for applications at Oracle India also said that the Bill needs to provide further clarity,without mentioning the specific areas where more information was required.