What happened
India approved new rules that require messaging apps to store user data for up to five years and provide it to authorities when requested. The government said the policy supports national security investigations.
Who is affected
Messaging platforms that operate in India, including encrypted apps, along with the users who depend on these services for private communication.
Why CISOs should care
The rules may push global platforms to change how they manage encryption and retention. Organizations with staff, customers, or operations in India may face new compliance pressure and a higher risk of exposure during government access requests.
3 practical actions
-
Review data retention and encryption policies to confirm they align with India’s new rules without reducing security.
-
Update risk assessments for workflows that rely on messaging platforms affected by the policy.
-
Prepare clear internal guidance for legal, compliance, and communications teams on how to manage government data requests.
