The Indian government has told virtual private network (VPN) providers that the country “is not a good place to do business” if they aren't willing to collect user data.
The statement, announced by Minister of State for Electronics and IT Rajeev Chandrasekhar, follows a law passed last month that demands VPN companies operating in India to collect and hold customer data for up to five years.
The policy is part of a broader effort to ramp up India's cybersecurity efforts. Yet, with the law directly contradicting the purpose of Virtual Private Networks, global VPN providers are now being forced to rethink their future in the country.
VPNs in India are Now Required to Collect Customer Data
For businesses that haven't been taking India's latest cybersecurity rules seriously – be warned. In a recent release of the Indian Computer Emergency Response Team (Cert-In)'s FAQ section, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar has appeared to double down on the government's data retention law.
In the release, Chandrasekhar tells businesses that they are “free to leave India” if they don't comply with the state's recently passed piece of legislation.
“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs who want to do business in India and you don’t want to apply, you don’t want to go by these rules, then if you want to pull out, frankly, that is the only opportunity you have. You have to pull out.” – Rajeev Chandrasekhar
The directive makes it a legal requirement for VPN providers, cloud service providers, crypto exchanges and data centres to collect information that can be used to identify users. This data includes names, usage patterns, and validated physical and IP addresses.
Aside from maintaining logs of consumer data, the new law also makes it mandatory for such providers to report instances of cyber attacks to Cert-In.
What Happens to Companies That Don't Comply?
According to Cert-In's recent release, if VPN companies, and other applicable providers, aren't willing to hand over personal customer data to officials they will no longer be able to operate in India.
If companies continue to ignore the piece of legislation, they may also be faced with up to one year in jail.
In the face of large scale data breaches in India, it's clear that Cert-In is doing what it can to crack down on the escalating impact of cyberattacks. However, with the legislation making the use of VPNs practically unviable, businesses and public users relying on the measure to protect their online privacy are expected to lose out the most.