Surfshark is the latest VPN company to shut down its servers in India in response to new data regulations that require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years.
Surfshark said it will shut down its physical servers in India before the new law from India’s Computer Emergency Response Team (CERT-In) comes into power on June 27. Users can still access the servers in the meantime – after the shutdown, Surfshark will provide customers with access to its virtual Indian servers, which will be physically located in Singapore and London, and will provide users with an Indian IP address. Users will be able to find them in the company’s regular list of servers.
“Surfshark proudly operates under a strict ‘no logs’’ policy, so such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible,” said Gytis Malinauskas, Head of Legal at Surfshark. “The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base.”
Last week, ExpressVPN made a similar announcement, saying it was shutting down its servers in India over the new law. ExpressVPN will also serve Indian customers via virtual servers in Singapore and London. NordVPN has also said it will likely be unable to comply with the new law.
Surfshark added that the exit of VPN players from India is bad news for the country’s growing IT sector because privacy and protection of personal data are a crucial part of the sector’s success – in other words, people are less likely to use digital services if their data is more likely to be stolen.
While VPNs aren’t necessarily the only thing preventing data breaches from skyrocketing in India, Surfshark and others fear that the new data policy could make the problem worse as the government collects and stores vast amounts of data from different companies, which will make it a juicy and lucrative target for hackers.
Surfshark pointed to its own data showing that since 2004, almost 15 billion accounts have been leaked worldwide – of those, close to 255 million of them belong to users from India. That works out to 18 out of every 100 Indians having had their personal contact details stolen.
“The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password,” the company said. “Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”
Surfshark added that it will continue to closely monitor the government’s activities and encourage discussions intended to persuade the government to hear the arguments of the tech industry.