VPN users expect their privacy to be protected, but a new Indian guideline will require corporations to not only gather a large quantity of user data but also to retain it for five years and provide it over if required. Virtual Private Network providers, data centers, cloud service providers, and crypto exchanges are all affected by the order.
According to Entracker, India’s Computer Emergency Response Team, or CERT-in, has issued a new national order that aims to “organize response actions as well as emergency measures concerning cyber security incidents.”
Customers’ identities, usage habits, contact information, validated IP and physical addresses, and the purpose for which they are hiring the services must all be recorded by companies, including VPN providers.
Another provision of the regulation mandates that businesses retain consumer information even if they cancel their accounts or subscriptions. Organizations must also report any individuals who have “unauthorized access to social media accounts.”
According to CERT-in, the rules are in place so that the agency may respond to cyber incidents within six hours of their discovery. Users of these services are certainly unhappy with the order, but the corporations that provide them may not have much choice: failure to cooperate with requests for information can result in a year in prison.
Most VPNs have a no-logs policy, which means they don’t maintain logs of their customers’ online activities and those that do only keep them temporarily. As a result of the new laws, some of these suppliers may be forced to exit the Indian market due to the possibility of legal action. The directive is slated to take effect on June 27, although it may be postponed to give businesses more time to comply with the rules.