Data Encryption

Many of the Indian and international companies want to understand the permitted encryption levels under Indian law, whether the companies can use the higher encryption than the prescribed limits, and the penalties for contravention of the permitted encryption levels.

The Indian government has prescribed the encryption level of up to 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms to be deployed by all the service providers and their customers under the Guidelines and General Information for Grant of Licence for Operating Internet Services (the “ISP Guidelines“).

If a company wants to use a higher encryption, the company will require the Department of Telecommunications’ (DoT) prior written permission and deposit the decryption key, split into two (2) parts, with the DoT.

There are certain government authorities in India such as the Reserve Bank of India (the “RBI“) and the Securities Exchange Board of India (the “SEBI“) that mandates use of minimum 128 bit key length encryption in India for the internet banking and transactions and for investor security.

However, the DoT has not as yet taken any steps to increase the approved encryption level to harmonize with the global encryption levels and to ensure higher security of the sensitive and personal data transferred.

From a practical standpoint, currently, all the banks in India and many financial institutions, Indian railways, and other companies use encryption higher than the DoT prescribed encryption of 40 bit key length.

There are no penalties prescribed under the ISP Guidelines for non-compliance of the stipulated encryption levels or the ISP Guidelines.  However, the DoT can impose penalties including punitive action, cancellation of the ISP registration, monetary penalties, etc., prescribed under the India’s Information Technology Act, 2000.