This post is authored by Raj Shekhar, a fourth-year student from National University of Study and Research in Law, Ranchi
The Indian Computer Emergency Response Team (“CERT-In”), on 28th April 2022, issued new directions (“Directions 2022”) under the powers conferred to it by Section 70B(6) of the Information Technology Act, 2000 (“IT Act”). The Directions 2022 have sought to improve cyber-security by incorporating stringent provisions ranging from breach reporting to data retention for security purposes. Owing to its status as the national agency for the upkeep of cyber security, as per provisions of Section 70B of the IT Act, the CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation (“Entities”). However, while the Directions 2022 have received applause from many cyber security experts owing to the expedited and stringent measures for blocking and identifying cyber security threats, there have been criticisms on grounds of privacy infringement, over-regulation, etc. as well. In light of the same, this article tries to evaluate the criticisms and analyse if the Direction are ushering us into a solely optimistic cybersecurity and data regime.