Hardware device makers, such as manufacturers of mobiles, PCs, laptops, tablets, and so on, have unanimously opposed a recommendation by the Joint Parliamentary Committee (JPC) that the Data Protection Authority (DPA) proposed to be set up under the draft Data Protection Bill, should regulate the monitoring, testing and certification of hardware devices.
However, the move has found favour amongst some telecom operators. In various stakeholder meetings, they have pointed out that the government has already put in place a requirement for the testing of telecom equipment to ensure that any equipment that is connected to a network comes from “trusted sources”. Telcos say that while the clearances take care of the security and privacy issues of telecom equipment, they do not include hardware devices in their ambit.
Telecom equipment is also scrutinised for safety and security by the Telecom Engineering Centre (TEC), which is part of the department of telecommunications.
Says a top executive of a telecom company, “If telecom equipment is going through various stages of testing and certification, why should other hardware devices like mobile phones, where data breaches are easier, not be subjected to similar scrutiny?”
Opposing the move strongly, the India Cellular and Electronics Assoc¬iation (ICEA), which represents all leading telecom device makers, have said that it would have serious consequences for the high-growth mobile device sector and is against global best practices.
One additional certification (currently all of them take a BIS certification), would delay the market entry of electronic equipment, and lab testing could even require a year, pushing back Indian consumers’ access to new products.
The ICEA also says that the move goes against the government’s attempt to reduce obstacles to ease of doing business. Besides, the testing and certification may not meet the intended intention in consumer devices. The most significant threat to consumer devices such as smartphones, laptops and tablets, comes from software installed by a user after buying the device or from unauthorised parts installed by unauthorised repair centres. Hence, a pre-sale lab certification would not be effective at all.
A post-sale certification at the behest of the consumer would need to take into account all such changes that have been made to the device. However, this would put undue liability on the data fiduciary and goes beyond their reasonable control. ICEA has argued that once the device leaves the assembly line, manufacturers cannot be reasonably held accountable for possible consumer misuse or the modification created by files or apps not regulated by the manufacturer.
In a communication to IT minister Ashwini Vaishnaw, MAIT, the apex body that represents India’s information and communications technology (ICT) sector, has complained that at no stage of its deliberations had the JPC discussed this point with the stakeholders. It adds that the recommendation to regulate hardware manufacturers shows “a complete disregard of MEITY’s (ministry of electronics and information technology) current mandated testing and certification framework” which has been complied with by industry for over a decade.
MAI has argued, moreover, that the JPC recommendation merely duplicates this process by adding both a new authority and mandatory compliance requirements, and this would seriously jeopardise India’s ambitious electronics export targets. Business Standard