Blog

The Indian government’s recent mandate directing virtual private network (VPN) providers to collect and store their customer data for five years or more might not be applicable to enterprise or corporate VPNs.

The Computer Emergency Response Team (CERT-In), which issued the new directions, is likely to put out a list of clarifications to its April 28 mandate and say that the directive to store customer information applies only to those VPNs that offer services to general internet subscribers, according to ET.

“For the purpose of this direction, VPN Service provider refers to an entity that provides “Internet proxy like services” through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users,” CERT-In reportedly said in its FAQ document that has not been made public yet and was exclusively accessed by the publication.

As per the new directions, VPN service providers, data centres, Virtual Private Server (VPS) providers and cloud service providers will have to collect and hold data pertaining to validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email addresses, IP addresses and time-stamps used at the time of registration/on-boarding and more.

Following this, a few VPN service providers said they would exit India rather than following such a mandate that threatens the basic foundation of VPN. NordVPN has already said that it would exit India if no other options are available.

A large number of experts have also raised questions around the legality of the new rules in the absence of a robust data protection law in the country.

According to Tejasi Panjiar, Capstone Fellow, Internet Freedom Foundation, the clarification doesn’t change the ongoing concern around the mandate for public VPNs to collect and store data.

Public VPN Providers’ Take On the New Directions 

“We are still looking into the new law to better understand what’s required, but from what it seems, we would require to make fundamental changes within our infrastructure, our policies and our values,” said Laura Tyrylyte, head of public relations at Nord Security, earlier this week. “It is difficult to see such a scenario coming to life.

Talking about the impact the new government rules can have on VPN service providers, given India is one of the major VPN markets, Tyrylyte told Inc42 that while it is still a bit too early to predict the amount of impact the mandate would have on NordVPN, “it is safe to say that some impact is expected”. 

“Companies that will decide to remove their servers, will have to look for other means to meet the requirements of customers who used those servers,” she added.

Earlier, Gytis Malinauskas, head of legal department at Surfshark, said that the company was trying to understand the new regulations and their implications, but the overall aim is to continue providing no-logs services to all of its users.

Malinauskas also highlighted the technical challenges which the new rules will raise. 

VPN Market In India

India is one of the largest VPN markets in the world. In the past few years, the VPN usage has grown significantly in the country. VPN installs exploded to a staggering 348.7 Mn in H1 2021, representing a growth of 671% over 2020, as per an Atlas VPN report. 

The report said that the increase can be attributed to the rapidly evolving digital ecosystem in the country, as India’s internet user base grew at a rate of 24% each year on average from 2015 through 2020.

India was the second-largest market for VPN, with 45% of internet usage happening through VPN, according to the Global VPN Usage Report 2020.