Virtual private network (VPN) providers and cloud service operators have received an additional three months to comply with new rules from Indian Computer Emergency Response Team (CERT-In) that require them to maintain personally identifiable data of users for five years and report cyber incidents within six hours.
CERT-In, India’s top cybersecurity agency, extended the enforcement of the new rules to September 25. The directive, announced in late April in a bid to bolster Indian cyber security posture and address gaps in incident analysis, was set to go into effect Monday.
Under the directive, VPN providers have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. They may be asked to hand over the data to the government or face punitive action if they don’t comply.
CERT-In said it was extending the deadline because “additional time” had been sought by micro, small and medium enterprises (MSMEs), as well as VPN, data center and cloud service providers, to implement mechanisms for validating subscribers/customers.
However, the announcement had sparked controversy from Day 1. VPN providers like ExpressVPN, Surfshark and NordVPN announced plans to withdraw their India-based servers and serve Indian customers via ‘virtual’ servers overseas. They slammed the new directive, saying that it was “overreaching” and so broad as to open up the window for potential abuse.
Several cybersecurity experts and technologists also sent a joint letter to both CERT-In and Ministry of Electronics and IT (MeITY) urging the authorities to not implement the “dangerous” law, saying it would “have the unintended consequence of weakening cyber security, and its crucial component, online privacy.”
India recently made it clear that it will not be holding any public consultation on these rules. Rajeev Chandrasekhar, the junior IT minister of India, said last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country.
He added that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that have stricter requirements.