FP StaffJun 29, 2022 12:58:27 IST
A few weeks back, India’s Computer Emergency Response Team or CERT-In and the Ministry of Electronics and Information Technology or MeitY had decided to implement new cybersecurity regulations.
These regulations were meant for VPNs and cloud storage service providers and required them to store all user-centric data on their servers for a period of five years. They were also required to share this data with regulatory and law enforcement agencies during investigations.
Although the new regulations were set to take effect from June 27, after much backlash CERT-In has decided to delay the new VPN policy by three months and push the timeline by a period of 3 months.
CERT-in has now announced that the new VPN policy will now come into effect, starting September 25, thus, giving VPN providers more time to comply with the new rules. However, there would be no changes to the policies themselves.
In a statement, CERT-IN has stated, “MeitY and CERT-In are in receipt of requests for the extension of timelines for implementation of these Cyber Security Directions of 28th April 2022 in respect of Micro, Small, and Medium Enterprises (MSMEs). Further, additional time has been sought for the implementation of a mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers.”
Meanwhile, a number of VPN and cloud service providers have already exited the Indian market and many more are contemplating moving their servers out of India.
ExpressVPN and SurfShark VPN, two of the most widely used VPN services had recently announced to remove their servers from India as they could not comply with the new VPN rules. Although both of them will continue to work for Indian users via virtual servers in India, they will not be hosting any servers in the country.
The new regulations, required VPN and cloud service providers to store user data like their names, IP addresses, email addresses, and phone numbers for at least five years, even if the user does not continue with their services. Furthermore, ISPs and all data centres, including the ones that VPN services use are required to keep a log of all activities from an ISP for a period of 180 days, for national security and cybersecurity purposes.
Because this flies straight into the face of any VPNs terms of services and their basic agenda, VPN providers who host their servers in India are faced with a dilemma. That is why most of these providers are planning to shift their servers out of India and into other areas that are safe havens.