In April 2022, India’s cybersecurity agency passed a rule requiring VPN providers to record and store their customers’ logs for 180 days.
It also required these companies to collect and store customer data for a period of up to five years. It also required that any recorded cybercrime be reported to the CERT-In (Computer Emergency Response Team) within six hours of the crime.
If passed, the new directives will take effect at the end of June.
This topic of “India’s new VPN rules – The impact and implications” is important from the perspective of the UPSC IAS Examination, which falls under General Studies Portion.
Who will be affected by the new regulations?
- Data centres, virtual private server (VPS) providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers, and government organisations are all subject to CERT-In guidelines.
- Firms that provide Internet proxy-like services via VPN technologies are also subject to the new rule. Corporate entities are not being looked into.
Can server relocation and virtualization assist VPN providers in bypassing the new regulations?
- A virtual server is a server environment that is built on top of a physical server.
- It mimics the operation of a dedicated physical server.
- The virtual twin operates similarly to a physical server, running software and utilizing physical server resources.
- A single physical server can support multiple virtual servers.
- Virtualizing servers aids in the reallocation of resources for changing workloads.
- Virtualization also saves money because the cost of maintaining a virtual server infrastructure is lower than that of physical server infrastructure.
- The service providers who do not have a physical presence in India but offer services to the users in the country, have to designate a point of contact to liaise with CERT-In.
- Also, logs may be stored outside India as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time.
- VPN companies, like Surfshark, on the other hand, believe that by removing their physical servers to countries outside India they will comply with the laws applicable to their activities.
How will the law impact India’s IT sector?
- VPN suppliers leaving India is not good for its burgeoning IT sector.
- Taking such radical action that highly impacts the privacy of millions of people in India will most likely be counterproductive and strongly damage the IT sector’s growth in the country.
Practice Question for Mains
- Discuss India’s new VPN rule and its implications. (15 Marks,250 Words).