Recently, the Indian government instructed VPN service providers to record specific information regarding their users for a minimum of 5 years. The Central Emergency Response Team (CERT-In) issued various new directives, and this was one of those.
The new directives are expected to take effect from 27 June this year. Nevertheless, industry experts believe that these rules may lead to severe privacy concerns, specifically the ones regarding VPN service providers.
A Virtual Private Network (VPN) establishes an encrypted connection between the user and the internet, completely safe and secure. With the help of a VPN, users can hide their IP address, browsing history, geographical location, web activities and linked devices.
As per CERT-In’s new rules, VPN service providers will need to collect and store specific information for a minimum period of five years, even when a customer has ended the subscription. The personal data that needs to be collected and stored includes names, emails, IP addresses, contact numbers and the reason for using the VPN service.
Cloud service providers and data centres will need to comply with these new directives. If they do not follow these norms, they will be penalised with a jail term of up to one year. All organisations must maintain logs of their Information and Communication Technology (ICT) systems in India as per the new regulations.
The Internet Freedom Foundation has expressed that the ambiguity around what information is covered under their ICT systems can lead to severe concerns such as private enterprises or the government having access to more data than required.
Industry experts have also raised concerns about how this new data collection and retention requirements will assist in enhancing cybersecurity. Furthermore, localisation requirements will also lead to concerns regarding surveillance, mainly when there is no dedicated data protection authority.
Three VPN service providers have reportedly confirmed that they will not follow the new data collection rules and will continue to use their no-logs policy. This is because they opine that a 180-day log retention rule concerning the ICT systems is ambiguous; the new rules could undermine cybersecurity. The new rules could put personal data at risk of a leak, and the data retention rule is counterintuitive as there is no data protection authority for ensuring data is being used only for cybersecurity purposes.
For any clarifications/feedback on the topic, please contact the writer at bhavana.pn@cleartax.in
Bhavana is a Senior Content Writer handling the GST vertical. She is committed, professional, and has a flair for writing. When away from work, she enjoys watching movies and playing with her son. One thing she can’t resist is SHOPPING! Her favourite quote is: “Luck is what happens when preparation meets opportunity”.