The statement, announced by Minister of State for Electronics and IT Rajeev Chandrasekhar, follows a law passed last month that demands VPN companies operating in India to collect and hold customer data for up to five years. The policy is part of a broader effort to ramp up India’s cybersecurity efforts. Yet, with the law directly contradicting the purpose of Virtual Private Networks, global VPN providers are now being forced to rethink their future in the country.
VPNs in India are Now Required to Collect Customer Data
The directive makes it a legal requirement for VPN providers, cloud service providers, crypto exchanges and data centres to collect information that can be used to identify users. This data includes names, usage patterns, and validated physical and IP addresses. Aside from maintaining logs of consumer data, the new law also makes it mandatory for such providers to report instances of cyber attacks to Cert-In.
What Happens to Companies That Don’t Comply?
According to Cert-In’s recent release, if VPN companies, and other applicable providers, aren’t willing to hand over personal customer data to officials they will no longer be able to operate in India. If companies continue to ignore the piece of legislation, they may also be faced with up to one year in jail. In the face of large scale data breaches in India, it’s clear that Cert-In is doing what it can to crack down on the escalating impact of cyberattacks. However, with the legislation making the use of VPNs practically unviable, businesses and public users relying on the measure to protect their online privacy are expected to lose out the most.
