The Union government has directed companies offering Virtual Private Network, or VPN services, to collect and store information of Indian users for up to five years.

Virtual Private Networks allow users to mask their location and browse the internet without divulging their search history to the internet service providers. The tool is often used by investigative journalists and ethical hackers to access websites that are banned in their countries.

VPN providers in India now need to store names, addresses, contact numbers, period of subscription, email and IP address, and the client’s purpose of using their services among others, the Indian Computer Emergency Response Team, also known as CERT-In, mandated in a set of directions issued on April 28.

The CERT-In works under the Ministry of Information Technology and is the country’s nodal agency on cyber security threats. The new directive will come into effect from June-end and will also be applicable to cloud service providers and virtual private server providers.

VPN services are currently regulated, or are completely banned, in only a few countries like Belarus, China, Iraq, North Korea, Oman, Russia, and the United Arab Emirates, according to internet security services firm Norton.

CERT-In said that cryptocurrency exchanges have also been directed to maintain a record of financial transactions of users for a period of five years.

“The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years,” CERT-In said in its order.

The decision has been taken to ensure the security of payments and financial markets for citizens, while also “protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”, CERT-In stated in its directive.

The cyber security agency also said that any organisation which fails to comply with the directions can face action under subsection (7) of section 70B of the Information Technology Act. The section has provisions of a jail term of one year, a fine of up to Rs 1 lakh, or both.