The Indian Computer Emergency Response Team, or CERT-In, has been exempted from the purview of the Right to Information Act, 2005.

The CERT-In, which is the country’s national cyber security agency, operates under the Ministry of Electronics and Information Technology. Experts have criticised its investigations of major data breaches in the country for lack of transparency.

The agency’s exemption from the RTI Act comes amid its investigation into the Apple security notifications. In October, several Opposition leaders and journalists said that they received an alert from the iPhone manufacturer cautioning them against “state-sponsored attackers trying to remotely compromise” their phones.

On November 25, Apar Gupta, a policy expert and founding director of the Internet Freedom Foundation, in a social media post, said that the notification exempting CERT-In contains no reason for the action.

“Here, the message is simple, while the Union government wants to peep into your private lives and then leak it to the world, it does not want to answer any of your questions,” Gupta said.

This is the first time in seven years that an agency has been exempted from provisions of the RTI Act, reported The Hindu. In 2016, the Strategic Forces Command under the Ministry of Defence was exempted from RTI’s purview by bringing it under the Act’s second schedule.

The schedule lists exempted agencies.

Section 24 of the law says that nothing contained in this Act shall apply to the intelligence and security organisations specified in the second schedule, being organisations established by the Central government or any information furnished by such organisations.

There are 26 other Central government intelligence and security agencies included in the Act’s Second Schedule. These include the Intelligence Bureau, the Research and Analysis Wing, the Directorate of Enforcement and the National Technical Research Organisation.

Among other cases, CERT-In is also tasked with investigating recent cyber security incidents, such as the ransomware attack at the All India Institute of Medical Sciences on November 23, 2022.