IT Bill requires a serious revision

The Information Technology (IT) and Cybersecurity Bill, published on 10 March 2024 for public feedback, is currently under review by MOCIT (Ministry of Communication and Information Technology). Aimed at addressing digital signatures, cloud computing, cybercrime and major digitalization of public services, including the creation of websites for all government agencies, establishment of a national cybersecurity center, and forensic center, it represents Nepal’s stride toward implementing robust IT and cybersecurity regulations.

Nepal aims to implement these regulations to tackle the rising tide of crime due to fast digitization in the country. However, certain aspects of the bill, particularly concerning cloud computing and data centers, raise concerns. The requirement for companies to obtain licensing approval and undergo yearly renewal, while perhaps well-intentioned, may not foster innovation and economic growth effectively. Considering the substantial investment required for data centers and cloud computing infrastructure, businesses should ideally focus on their core operations without undue bureaucratic hurdles.

If we see international practice, especially the EU and the USA do not mandate specific licensing requirements for data centers or cloud service providers at the national level. Instead, companies are regulated by industry standards and market competition, while compliance with relevant regulations ensures legal operation and maintains customer trust. If we examine India's approach to supporting businesses through its policies, we find that it employs various strategies that aid in fostering businesses from their inception. These strategies include ensuring that all approvals required for commencing business are granted within 15 working days, offering 100 percent exemption from property tax for 10 years, and providing subsidies such as Capital Investment Subsidy, Lease Rental Subsidy and Interest Subsidy.

Several other provisions within the bill could have significant impacts on businesses. For example, the requirement for companies operating critical infrastructure to submit design and configuration documents to government bodies raises concerns regarding potential violations of intellectual property rights. Here, the bill fails to address the issue of compensating businesses for damages resulting from intellectual property theft. In cases of intellectual property theft, only minimal punishment and fines need to be paid to the government, with no compensation provided to the intellectual property owner. This omission could leave affected companies vulnerable to substantial financial losses without any possibility of recovery.

Also, instead of imposing permits for importing and distribution of IT equipment from government bodies, the government could have mentioned the establishment of minimum standards, allowing the import of equipment meeting or exceeding these standards without approval. 

The requirement for data storage within Nepal's borders for financial and health organizations may pose feasibility challenges, especially during the period when the government is aggressively promoting cross-border financial practices. In the case of data collected by private organizations, it may be more practical to allow them to store their data in public clouds, with the condition that they are responsible for ensuring the security of their information. The level of security required should be determined based on the sensitivity of the data being stored, with varying levels of security measures such as encryption being implemented accordingly.

Several provisions within the bill raise concerns for individuals as well. For example, the provision allowing the storage and use of sexual material for educational or medical purposes could potentially be misused. Stringent cybersecurity measures must be applied to the machines storing such material. If the material is leaked or hacked due to inadequate security measures, the entity responsible for storing it should be held accountable, and appropriate punishment should be enforced. 

The definition of criminal activity outlined in the bill is quite vague in many places, raising significant privacy concerns. Under this definition, the government could demand the submission of personal private keys. Additionally, provisions allowing investigating officers, such as police inspectors, to collect electronic devices and traffic data without proper oversight could be prone to misuse. It is recommended that higher-ranking officials, like SSPs or DIGs, oversee such activities to ensure accountability and prevent potential misuse.

The meeting of the National Cybersecurity Committee that is mentioned in this bill itself does not validate the live video link or any other electronic means of communication or online meetings for any meeting of the committee, where physical presence is mandatory. The government is trying to address emerging technologies like AI and blockchain, with few definitions for proper use but these technologies will require further study and regulations going forward.

While the IT and Cybersecurity Bill represents a significant step toward bolstering Nepal's digital infrastructure, careful consideration and amendments are necessary to address concerns and ensure the bill aligns with business-friendly practices and privacy rights. As technology is rapidly changing, it becomes imperative that the laws are modified at the same pace, something which was lacking in the past.

The author is a cybersecurity professional and student of information management. Views are personal