Several VPN providers are withdrawing from the Indian market under new data rules from the Indian government.
The policy requires VPN, Virtual Private Server (VPS) and cloud service providers to store customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for five years.
It is part of the Indian government’s attempts to regulate encrypted web traffic and was issued by India’s top cybersecurity agency, the Indian Computer Emergency Response Team (Cert-In).
The directive also states that cybersecurity breaches be reported within six hours of discovery.
Yet, even though the Indian government took the decision to reduce the country’s growing reliance on VPNs, the directive has created so much confusion about what was expected and what it wants to achieve.
“The directives are very broad and there’s not much clarity on how this will be applicable due to the wordings of the directive. Just the fact that the government had to issue a long FAQs note along with the directive shows the complexity of the situation. You can’t have FAQs to clarify statutory provisions,” said Prasanth Sugathan, a partner at law firm Sugathan and Associates.
The sources for this piece include an article in ComputerWorld.