India’s New Data Law Will Likely Push VPN Providers Away


VPN providers are fighting back against and criticizing an alarming demands of India’s New Data Law requiring them to gather and send over customer data.

On April 28, the Indian government’s Computer Emergency Response Team (CERT-In) issued an order that might force VPN providers to stop providing services to the country entirely.

The government demands that all VPN providers operating in the nation save user data for at least five years and report cyber events within six hours to aid in the investigation of probable cybercrime.

In two months, the new restrictions will take effect.

India might join nations like North Korea, Russia, and China, where providers have either never had a presence or have withdrawn their servers once the order takes effect.

Advertisement ~ Scroll to continue

VPNs encrypt user data while providing them with an IP address in a country of their choice on the internet.

They mask users’ identity by assigning a temporary IP address to their device that is hosted on a distant server.

VPN providers would be forced to register correct and thorough information from all Indian customers under the new legislation.

Users’ valid identities, length of usage, assigned IPs, email addresses, time stamp at time of registration, valid addresses, and contact numbers are all stored for a minimum of five years, even if they cancel their subscriptions.

Noncompliance, according to the decree, may result in VPN businesses being banned and executives serving a year in prison.

The ruling has been seen by experts as a further blow to India’s already shaky rights to privacy and freedom of expression.

According to Entrackr, a startup and tech news blog, NordVPN, one of the world’s major VPN services, has indicated that it may exit India.

Patricija Cerniauskaite, a spokesman for NordVPN’s parent firm Nord Security said, “We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left.”

Some service providers, such as ExpressVPN and ProtonVPN, have expressed their worries as well, and have indicated that they may chose not to comply.

“The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance.” “We remain committed to our no-logs policy,” ProtonVPN tweeted on Thursday, giving its rules for customers in high-risk nations.

The Indian government’s action, according to Harold Li, vice president of ExpressVPN, “represents a troubling attempt” to infringe on individuals’ digital rights, adding that the business would never track user information or behavior.

If and when required, he stated, the corporation will change its operations and infrastructure “to preserve this principle.”

Concerns have also been made by human rights organizations regarding the latest approach.

The rule is being criticized by Amnesty International’s India office, which says VPNs allow “digital anonymity, which has been essential in preserving the rights of journalists, activists, and students who have faced a persistent crackdown for speaking truth to power.”

“Restrictions on digital anonymity must satisfy requirements of legality, necessity and proportionality, and legitimacy. This directive fails is in [sic] clear contravention with India’s obligations under international human rights law,” it continued.

Officials in India, on the other hand, claim that the directive is intended to combat the rising threat of cyber crime to residents, not to stifle freedom of expression and privacy.

According to a new survey by the Netherlands-based VPN company Surfshark, over 675,000 Indian users were breached this quarter, while 1.77 million users’ data was taken in the fourth quarter of 2021, keeping India among the top five countries targeted by cybercriminals.

Although this new directive indicates that government agencies would only request VPN records when they are truly required for an investigation, there are fears that the guidelines may be abused.

The new directives are also “vague,” “undermine user privacy,” and “information security,” according to the Internet Freedom Foundation (IFF), in New Delhi that advocates for digital rights and freedoms.