In a major, albeit temporary, victory for data privacy, the Indian government has decided to delay its new rules for VPN providers by three months.
The law, which stated that VPN providers would need to log user data for up to five years, is in staunch opposition to the industry's primary goal of promoting data privacy and protecting user information.
Now, the postponement will, in theory, give providers enough time to comply with the new law, although many are still likely to take their ball and go home.
India Delays New Data Privacy Rules for VPN Providers
Announced in a press release, the Indian Computer Emergency Response Team (CERT-In) has announced that its controversial new data privacy would be put on hold for three months to allows providers more time to “build capacity required for the implementation of the Cyber Security Directions.”
“Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers are also provided with additional time for implementation of mechanisms relating to the validation aspects of subscribers/customers details,” read the press release.
The delay is good news to many, as the new rules proved controversial to say the least. In fact, security experts around the world have been criticizing the move, going so far as to pen a joint letter condemning the new rules as a big step in the wrong direction.
“We are cognizant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness, while endangering online privacy and security.”
While experts are celebrating the move, three months isn't very long, and if the Indian government still plans on going through with the new rules in the long run, it could be in for a rude awakening.
The VPN Exodus
While the new rules for data privacy were supposed to go into effect on Monday, the delay provides plenty of time for those planning to comply to get everything in order. However, many prominent VPN providers have decided that leaving the South Asian market is better for the integrity of their business.
In fact, the likes of NordVPN, PureVPN, ExpressVPN, Surfshark, and many others have decided to shut down their servers from India. Even worse, a good percentage of them have no plans to even provide remote servers that connect to India, which will leave the country without a lot of options.
The exodus of VPN providers from India is a big deal for more than just Indian users. The country represents the second-largest population for VPN usage, with 45% of the country taking advantage of its data protection features.
Many businesses rely on VPNs to facilitate remote work, while individual users often take advantage of perks like streaming content from other countries. Either way, this delay could be some short-lived good news if the best VPN providers are still planning on avoiding India.