Recently, the Indian government instructed VPN service providers to record specific information regarding their users for a minimum of 5 years. The Central Emergency Response Team (CERT-In) issued various new directives, and this was one of those.
The new directives are expected to take effect from 27 June this year. Nevertheless, industry experts believe that these rules may lead to severe privacy concerns, specifically the ones regarding VPN service providers.
A Virtual Private Network (VPN) establishes an encrypted connection between the user and the internet, completely safe and secure. With the help of a VPN, users can hide their IP address, browsing history, geographical location, web activities and linked devices.
As per CERT-In’s new rules, VPN service providers will need to collect and store specific information for a minimum period of five years, even when a customer has ended the subscription. The personal data that needs to be collected and stored includes names, emails, IP addresses, contact numbers and the reason for using the VPN service.
Cloud service providers and data centres will need to comply with these new directives. If they do not follow these norms, they will be penalised with a jail term of up to one year. All organisations must maintain logs of their Information and Communication Technology (ICT) systems in India as per the new regulations.
The Internet Freedom Foundation has expressed that the ambiguity around what information is covered under their ICT systems can lead to severe concerns such as private enterprises or the government having access to more data than required.
Industry experts have also raised concerns about how this new data collection and retention requirements will assist in enhancing cybersecurity. Furthermore, localisation requirements will also lead to concerns regarding surveillance, mainly when there is no dedicated data protection authority.
Three VPN service providers have reportedly confirmed that they will not follow the new data collection rules and will continue to use their no-logs policy. This is because they opine that a 180-day log retention rule concerning the ICT systems is ambiguous; the new rules could undermine cybersecurity. The new rules could put personal data at risk of a leak, and the data retention rule is counterintuitive as there is no data protection authority for ensuring data is being used only for cybersecurity purposes.
For any clarifications/feedback on the topic, please contact the writer at bhavana.pn@cleartax.in
Bhavana is a Senior Content Writer handling the GST vertical. She is committed, professional, and has a flair for writing. When away from work, she enjoys watching movies and playing with her son. One thing she can’t resist is SHOPPING! Her favourite quote is: “Luck is what happens when preparation meets opportunity”.
The systematic investment plan (SIP) contribution in February 2024 has crossed a new milestone. The monthly contribution tipped at Rs…
The Income-Tax (I-T) Department has directed taxpayers to access the Annual Information Statement (AIS) via the e-filing official portal and…
Considering the vagaries of the stock market, investors often ponder over reevaluating their strategies. Whether to continue to remain invested…
Financial planning is beyond just investing wisely to save on taxes; it's also related to protecting oneself and one's loved…
A salaried individual earning up to Rs 5-15 lakh as net salary on an annual basis must first take stock…
Equity-linked savings schemes (ELSS), also referred to as tax-saving schemes, are equity funds that invest a significant portion of their…