The Indian government recently passed a law that demands all companies collect and hold user data for up to five years, which stands at odds with the core mission statement of most VPNs.
VPNs are used by both businesses and consumers all over the world to encrypt their internet traffic and protect themselves with an enhanced level of online privacy.
But this new law may mean this privilege is no longer available to internet users in India, who already have to deal with their government's intrusive approach to online life.
India Passes Data Retention Law
India has passed a new national directive that applies to VPN companies, as well cloud service providers, data centers, and crypto exchanges, which effectively makes it a legal requirement to collect specific, extensive customer data and hold onto it for at least five years. Companies will also have to report “unauthorized access to social media accounts” as part of the directive.
Instigated by the country’s Computer Emergency Response Team, known as CERT-in, ignoring the demands could lead to up to one year in jail.
VPN companies operating in India will have to hold on to customer names, data about usage patterns, validated physical and IP addresses, and other types of information that could be used to identify an individual.
Concerningly, even if a customer cancels their subscription with a VPN company and deletes their account, the data will still have to be held.
Why This Creates a Massive Problem for VPN Companies
The main selling point of every good VPN has been that it doesn’t hold, collect, or record any user data on the customers that use its services – this is the whole reason that people use VPNs when they head onto the internet. The core purpose of a Virtual Private Network is that the web addresses you visited are decoupled from your IP address – so the demand to collect customer information and activity-related data is completely at odds with this.
Some VPN companies have taken this a step further, deploying RAM-only servers that wipe themselves clean every time they’re powered down (which is regularly). This has been a trend in the industry for a year or so now and most of the big names you’ll recognize (ExpressVPN, NordVPN, Surfshark) all have RAM-only servers.
The prevalence of RAM-only servers in VPN infrastructure in India will cause providers of such services legal problems for just carrying on operating the same way as they have been.
What happens in countries where VPNs are illegal?
Importantly, India hasn't passed a piece of legislation that says VPNs are outright illegal. Instead, they've made it a legal requirement to collect certain types of data – which VPNs deliberately don't do – and have subsequently made VPNs illegal as a byproduct.
There are very few countries where VPNs are completely illegal – but this directive passed by the Indian Government may provide a pathway for countries that have struggled to crack down on VPN usage but would quite like to. There are a number of countries (like China) where, legally, VPNs are in a bit of a grey area.
With the technology completely illegal in so few countries, it will be interesting to see how the Indian government chooses to enforce this law and how it affects businesses that use VPNs – especially considering the state of their global economy.
In places like the US, business VPNs are very popular, and this makes it more difficult for countries like China to crack down on the technology because their commercial usage is so vital and important that it would be economically unwise to do so. Considering this, it wouldn't be unsurprising if there were some unforeseen effects of the ban in India.
One thing is for certain though – internet freedom in the world's second-most populous country has been dealt a massive blow.