Technology

Are the New VPN Rules a Threat to a User’s Privacy?

Recently, the Indian government instructed VPN service providers to record specific information regarding their users for a minimum of 5 years. The Central Emergency Response Team (CERT-In) issued various new directives, and this was one of those.

The new directives are expected to take effect from 27 June this year. Nevertheless, industry experts believe that these rules may lead to severe privacy concerns, specifically the ones regarding VPN service providers.

A Virtual Private Network (VPN) establishes an encrypted connection between the user and the internet, completely safe and secure. With the help of a VPN, users can hide their IP address, browsing history, geographical location, web activities and linked devices.

As per CERT-In’s new rules, VPN service providers will need to collect and store specific information for a minimum period of five years, even when a customer has ended the subscription. The personal data that needs to be collected and stored includes names, emails, IP addresses, contact numbers and the reason for using the VPN service.

Cloud service providers and data centres will need to comply with these new directives. If they do not follow these norms, they will be penalised with a jail term of up to one year. All organisations must maintain logs of their Information and Communication Technology (ICT) systems in India as per the new regulations.

The Internet Freedom Foundation has expressed that the ambiguity around what information is covered under their ICT systems can lead to severe concerns such as private enterprises or the government having access to more data than required.

Industry experts have also raised concerns about how this new data collection and retention requirements will assist in enhancing cybersecurity. Furthermore, localisation requirements will also lead to concerns regarding surveillance, mainly when there is no dedicated data protection authority.

Three VPN service providers have reportedly confirmed that they will not follow the new data collection rules and will continue to use their no-logs policy. This is because they opine that a 180-day log retention rule concerning the ICT systems is ambiguous; the new rules could undermine cybersecurity. The new rules could put personal data at risk of a leak, and the data retention rule is counterintuitive as there is no data protection authority for ensuring data is being used only for cybersecurity purposes.

For any clarifications/feedback on the topic, please contact the writer at bhavana.pn@cleartax.in

Share

Recent Posts

Mutual Funds: SIP Inflows Breach Rs 19,000-Crore Mark for the First Time in February ’24

The systematic investment plan (SIP) contribution in February 2024 has crossed a new milestone. The monthly contribution tipped at Rs…

9 months ago

Income-Tax Return: A Brief Note on Annual Information Statement (AIS)

The Income-Tax (I-T) Department has directed taxpayers to access the Annual Information Statement (AIS) via the e-filing official portal and…

9 months ago

Mutual Funds: All About SIP and Market Fluctuations

Considering the vagaries of the stock market, investors often ponder over reevaluating their strategies. Whether to continue to remain invested…

9 months ago

Income-Tax Saving Through Strategic Life Insurance Planning

Financial planning is beyond just investing wisely to save on taxes; it's also related to protecting oneself and one's loved…

9 months ago

Income-Tax Return: Here’s a Note on Tax-Saving Avenues

A salaried individual earning up to Rs 5-15 lakh as net salary on an annual basis must first take stock…

9 months ago

A Quick Take on Equity-Linked Savings Scheme

Equity-linked savings schemes (ELSS), also referred to as tax-saving schemes, are equity funds that invest a significant portion of their…

9 months ago