VPN services such as SurfShark, NordVPN and ExpressVPN said they may not be able to comply with a new directive from the Indian government to store personal data of users for five years or longer.
Last week, Indian Computer Emergency Response Team (CERT-In), India’s top cybersecurity agency, issued the directive under which virtual private network (VPN) services will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. They may be asked to hand over the data to the government or face punitive action for non-compliance.
The directive – which has been justified as necessary to prevent cybersecurity breaches – comes a few quarters after India’s parliamentary standing committee of home affairs sought a ban on VPNs, citing threats. The new directive is slated to take effect by the end of June.
According to a report by the Economic Times, VPN providers say that complying with the new directive goes against their policies to protect user privacy.
Netherlands based-SurfShark said that it “technically” can’t comply with the directive as it only operates with RAM servers in India.
Gytis Malinauskas, SurfShark’s legal head, told the publication that the company operates under the jurisdiction of the Netherlands, and there are no laws requiring it to log user activity.
Panama-based NordVPN said that it may remove its servers from India if no other options are left. Laura Tyrylyte, NordVPN’s security spokesperson said the company may have to reassess the situation once the directive comes into effect in the coming two months.
“We are committed to protecting the privacy of our customers,” she said, adding that the company is currently operating as usual.
ExpressVPN told the publication that it is governed by laws of the British Virgin Islands, which also doesn’t require VPN services to maintain user logs. “VPNs are critical for user safety and the preservation of user’s right to online privacy, and are fundamentally opposed to any efforts to undermine such technologies,” it said in a statement.
Other VPN providers also said that they may not necessarily come under the jurisdiction of Indian laws since they are already governed by laws of the countries in which they are based.
PureVPN – also based in the British Virgin Islands – told CNET that the new directive could impact the company’s position in India. It has 3 million users globally.
“We’re quite astonished at this policy move by the world’s largest democracy which is on the brink of becoming the world’s largest police state,” PureVPN CEO Uzair Gadit said.
“We are reaching out to Indian authorities and reviewing the policy guidelines to assess what it means for foreign companies serving users in India. PureVPN is a no-log VPN. User anonymity and security is a central priority, but if that is compromised by this policy then we will have to consider our position in India,” Gadit added.
India has more than 270 million VPN users. VPN services penetration in the country jumped in 2021, with 20% of the population using it to access various services and websites or to keep their IP addresses, usage patterns hidden. VPN penetration stood at 3.28% in 2020, according to AtlasVPN.
The Ministry of Electronics and IT (MeitY) said in a statement on Saturday that the new directive was intended to help it deal with “certain gaps” that hinder it from responding to unspecified “cyber incidents and interactions with the constituency.”
The new directive also applies to data centres and cloud service providers, who will have to keep customer information for the specified time period even after the customer has cancelled their subscription or account.