VPN service providers can leave India if they choose not to collect user data, says IT minister
Last month, the government had asked VPN firms to store details like name of the users, their addresses and purpose of using the service.
Union Information Technology Minister Rajeev Chandrasekhar on Wednesday said that virtual private network service providers could leave India if they choose to not adhere to the new cyber security rules, The Indian Express reported.
In a set of directions issued last month, the government had directed companies offering Virtual Private Network, or VPN services, to collect and store information of Indian users for up to five years.
VPN providers in India now need to store names, addresses, contact numbers, period of subscription, email and IP address, and the client’s purpose of using their services, the Indian Computer Emergency Response Team, also known as CERT-In, has said. The rules will come into effect from June-end.
VPNs allow users to mask their location and browse the internet without divulging their search history to the internet service providers by using remote servers. The tool is often used by investigative journalists and ethical hackers to access websites that are banned in their countries.
On Wednesday, Chandrasekhar made the remarks on VPN service providers during a session of Frequently Answered Questions on the new cyber security guidelines issued by CERT-In.
“If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out [from the country], frankly, that is the only opportunity you will have,” he said, according to The Indian Express. “You will have to pull out.”
Many VPN service providers like NordVPN, SurfShark and Proton VPN claim to not maintain any data of how customers use the service.
When asked about their concerns, the IT minister said: “There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs”.
In its guidelines, CERT-In had also said that any organisation which fails to comply with the directions can face action under subsection (7) of section 70B of the Information Technology Act. The section has provisions for a jail term of one year, a fine of up to Rs 1 lakh, or both.
VPN services are currently regulated or are completely banned, in only a few countries like Belarus, China, Iraq, North Korea, Oman, Russia, and the United Arab Emirates, according to internet security services firm Norton.