India Orders VPNs to Keep User Logs or Leave the Country

According to a recent release by Cert-In, VPN providers unwilling to collect user data in India will have to pull out.

The Indian government has told virtual private network (VPN) providers that the country “is not a good place to do business” if they aren’t willing to collect user data.

The statement, announced by Minister of State for Electronics and IT Rajeev Chandrasekhar, follows a law passed last month that demands VPN companies operating in India to collect and hold customer data for up to five years.

The policy is part of a broader effort to ramp up India’s cybersecurity efforts. Yet, with the law directly contradicting the purpose of Virtual Private Networks, global VPN providers are now being forced to rethink their future in the country.

VPNs in India are Now Required to Collect Customer Data

For businesses that haven’t been taking India’s latest cybersecurity rules seriously – be warned. In a recent release of the Indian Computer Emergency Response Team (Cert-In)’s FAQ section, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar has appeared to double down on the government’s data retention law.

In the release, Chandrasekhar tells businesses that they are “free to leave India” if they don’t comply with the state’s recently passed piece of legislation.

“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs who want to do business in India and you don’t want to apply, you don’t want to go by these rules, then if you want to pull out, frankly, that is the only opportunity you have. You have to pull out.” – Rajeev Chandrasekhar 

The directive makes it a legal requirement for VPN providers, cloud service providers, crypto exchanges and data centres to collect information that can be used to identify users. This data includes names, usage patterns, and validated physical and IP addresses.

Aside from maintaining logs of consumer data, the new law also makes it mandatory for such providers to report instances of cyber attacks to Cert-In.

What Happens to Companies That Don’t Comply?

According to Cert-In’s recent release, if VPN companies, and other applicable providers, aren’t willing to hand over personal customer data to officials they will no longer be able to operate in India.

If companies continue to ignore the piece of legislation, they may also be faced with up to one year in jail.

In the face of large scale data breaches in India, it’s clear that Cert-In is doing what it can to crack down on the escalating impact of cyberattacks.  However, with the legislation making the use of VPNs practically unviable, businesses and public users relying on the measure to protect their online privacy are expected to lose out the most.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Isobel O'Sullivan (BSc) is a senior writer at with over four years of experience covering business and technology news. Since studying Digital Anthropology at University College London (UCL), she’s been a regular contributor to Market Finance’s blog and has also worked as a freelance tech researcher. Isobel’s always up to date with the topics in employment and data security and has a specialist focus on POS and VoIP systems.
Explore More See all news
Back to top
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free