India has delayed plans to force VPN providers and cloud service operators to retain user data and share it with the government.
India’s Computer Emergency Response Team (CERT-In) is now announcing that it plans to give businesses an additional three months to comply with the rules – or pull out of the country altogether.
The move follows a strong backlash, not just from VPN providers and cloud service operators themselves, but also from cybersecurity experts and privacy advocates.
Yesterday, in a letter to CERT-IN and the Ministry of Electronics and Computing, more than 20 people asked that the introduction of the requirement be delayed.
“We are deeply concerned about the guidance issued by CERT-In on April 28, 2022, and urge you to postpone their implementation and engage in a thorough public consultation process aimed at amending the guidance with input from all parties. stakeholders and experts,” they write.
“It is crucial that CERT-In and MeitY ensure that regulations advance systemic and user-centric approaches to cybersecurity, focusing on effective response to cyber incidents – which is also the specific regulatory power and limited granted to CERT-In by the Indian Parliament in this section of the Information Technology Act.
The rules require vendors to collect and store names, email addresses, and phone numbers, as well as the customer’s IP address. They will also need to record the rental period – using the timestamp used during registration – the reason the customer is using the service and their “ownership model”.
Potential penalties amount to imprisonment or a fine of Rs 100,000 ($1,300).
“The instructions, as they stand, will have the unintended consequence of weakening cybersecurity and its crucial element, online privacy,” the experts say.
“We are aware of the need for a framework to govern the reporting of cyber incidents, but the reporting delays and excessive data retention mandates prescribed in the instructions will have negative implications in practice and hinder efficiency, while endangering online privacy and security.”
A number of VPN providers have already pulled out of the country. ExpressVPN, for example, shut down its two physical servers in India, although it continues to operate its two Indian virtual server locations; Surfshark did the same. Proton, however, monitored the situation while continuing as normal.
The decision, however, is only a temporary reprieve, with the new rules due to come into effect on September 25.