On 04 August 2022, the Cyber Task Force members reviewed some significant developments in India’s digital domain, including Digital Public Infrastructure (DPI), FinTech, Blockchain activities, Non-Personal Data (NPD), a proposal for a new Telegraph Act by the Department of Telecom (DoT), and introduction of a new legislature— the Digital Act by the Ministry of Electronics and Information Technology (MeitY).

In the current scenario, the digital domain is playing a more significant role in every aspect— optimistic or adverse, of national security. Many changes are taking place in India’s digital ecosystem, such as the appointment of a ‘Data Aggregator’ by the Reserve Bank of India (RBI), along with the launch of the Central Bank Digital Currency (CBDC) or Digital Rupee in the fiscal year 2022-2023. Therefore, the digital aspect is becoming the centre of an entire ecosystem, including national, social, physical security, and defence.

Personal Data Protection (PDP) Bill & Data Localisation

The Hon’ble Minister has announced that a new bill with a ‘comprehensive framework’ and digital privacy laws will replace the PDP Bill. The new bill will incorporate the 81 amendments and 12 recommendations proposed by the JCP report. However, among other issues, the following contentions were raised related to the Personal Data Protection (PDP) Bill:

a) In India’s context, data localisation^[1] means that the users’ data remains within India. The JCP report was disputed over personal and non-personal data. Clause 91 of the PDP bill expressed Non-Personal Data (NPD) as data other than personal data.^[2] In other words, it is a ‘meta-data’ which includes the IP address and location data.

b) Sensitive personal data may be transferred outside of India for processing if the individual expressly consents and certain additional conditions are met. Such sensitive personal data, however, should continue to be stored in India. Specific personal data designated by the government as critical personal data can only be processed in India.

c) For all government agencies, the PDP Bill had proposed complete access to the use of personal data without the consent of citizens. Also, the bill sought to give the government the authority to exempt its investigation agencies from the Act’s provisions.

d) According to the JCP report, the bill had identified many relevant points but beyond the scope of contemporary digital privacy laws.^[3]

e) The merging of non-Personal Data and Personal Data under the same bill was one of the disagreements because both forms of data are treated differently in terms of volume and identification.

The 5G Connectivity

The auction of the 5G spectrum began in April 2022, and in early June of the same year, the auction got the Cabinet’s clearance. The GoI provides several policy incentives about spectrum, such as no spectrum usage charges. According to the policy, the charges against buying the spectrum can be paid overtime. Reliance Industries, Bharti Airtel, Vodafone India, and Adani Group are four major telecom companies in India that acquired the spectrum. At the same time, Jio is planning to have largely a standalone architecture in place. However, other Telecom service providers shall be deploying both Standalone and non-Standalone architectures for the same. In non-Standalone architecture, a separate tower can be installed at the top of the existing 4G tower, whereas in Standalone architecture, a separate 5G tower must be installed.

India’s Cyber Capabilities in Information Space

According to the Cyber Capabilities and National Power report prepared by the UK-based think tank—International Institute for Strategic Studies (IISS), India is a third-tier cyber power nation. ^[4] Effectively utilising its tremendous digital-industrial potential and taking a whole-of-society approach to enhancing its cyber security may give India the best chance of moving up to the second tier. Russia and China (in the second-tier of the cyber power index) have strategic and tactical depth regarding their respective cyber operations.

The Cyber Task Force members agreed that we need to strengthen India’s capabilities in the information space where Pakistan can make interruptions and often seems to have a grip over narratives. China is also very active in the same area via its ‘wolf-warriors’ diplomats, marking their strong presence on social media platforms, including Twitter.

Indian Start-ups: A Promised Venture to Invest in

India must invest in innovative technology companies as a strategic intent to build the institution and ecosystem. Considering the risk perspective in Start-ups, the Government of India (GoI) can provide seed money to Start-ups as support to build an ecosystem. The seed money will assist the Start-ups in creating an institution and empower them with the strategic intent.

India must introduce a ‘Stay in India’ scheme in which every start-up/talent funded by the GoI stays back and contribute to India’s digital growth. Many countries in the West are actively luring Indian Start-ups. For example, Finland is targeting two-three Start-up areas, including cyber security. As an upfront investment, the Government of Finland provides around EURO 50,000 (fifty-thousand Euros), with no questions or much paperwork required, but with the condition of moving their base to Finland.

India must also focus on structured human resource capabilities to have highly skilled cyber enthusiasts. We must find our talented cyber-enthusiasts irrespective of investment and bring them into the system with total commitment to the Government of India.

Pathway for the VIF Cyber Task Force

The VIF Cyber Task Force members agreed to have a group on India’s digital preparedness and its various aspects, including security, policy and strategic initiatives. The output of these discussions will be produced in the form of a VIF Cyber Task Force Report or a VIF Paper.

Endnotes :

^[1]Note: Data localisation or data residency framework requires data about a country’s citizens to be collected, processed, and stored within the geographical boundary of that country.
^[2] “The Personal Data Protection Bill, 2019”, PRS Legislative Research Bill No. 373 of 2019, available from: https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
^[3]BS Reporter & PTI, “Govt withdraws Data Protection Bill, 2021, will present new legislation”, Business Standard, 03 August 2022, accessed on 24 August 2022, available from: https://www.business-standard.com/article/economy-policy/centre-withdraws-personal-data-protection-bill-2019-to-present-new-bill-122080301226_1.html
^[4] “Cyber Capabilities and National Power: A Net Assessment”, International Institute for Strategic Studies, 28 June 2021, accessed on 23 August 2022, available from: https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power

(The paper is the author’s individual scholastic articulation. The author certifies that the article/paper is original in content, unpublished and it has not been submitted for publication/web upload elsewhere, and that the facts and figures quoted are duly referenced, as needed, and are believed to be correct). (The paper does not necessarily represent the organisational stance... More >>