Policy formulation can be really wonky. For instance, the Ministry of Electronics and IT (MeitY) has a particular manner in which it formulates policies. It brings out new rules and regulations without public consultations—and sometimes, these rules go against MeitY’s own mandate. Let me jog your memory. Section 66A of the IT Act of 2000 made it culpable to send information that’s “grossly offensive”, or had a “menacing character”. Now, it just wrote those big words without defining them. It was left to be interpreted by the cops and the courts. Given their repercussions on free speech, the Supreme Court had to strike down 66A in 2015. The same year, MeitY issued a draft encryption policy to help the government read all encrypted communications. Guess what happened next? It was withdrawn the next day. Cut to 2022. On 2 June, the ministry formulated and released a draft amendment to IT rules. The amendment mandated that grievance redressal committees be formed to review or reverse content moderation decisions made by social media companies. That draft, too, was taken back. This time, within just a few hours. The real déjà vu moment, however, came in April this year, when the ministry released another draft. This time, pertaining to cybersecurity. The new draft rules intend to improve security practices and reporting of incidents. However, the rules have raised a plethora of concerns, writes Soumyajit in today’s story. And chief among these concerns was the ambiguity surrounding compliance and the wide ambit of the directives themselves. MeitY rushed to clarify the regulations with an FAQ comprising 44 questions. And it didn’t just release it like that—it did so by organising a press conference. Though the FAQs provide some indication of CERT-In’s intentions, the FAQs are being seen as “a supplementary document to the directives, and their legal standing may be contested,” The rules are being contested by large tech companies, privacy advocates, and start-up founders. But it will particularly hit small and medium enterprises, which lack the financial wherewithal to invest in cybersecurity. After research by our team come out with a meticulously reported piece on how and where the new - and vaguely worded - rules will hit the MSME's
