India has delayed plans to force VPN providers and cloud service operators to hold user data and share it with the government.
The Indian Computer Emergency Response Team (CERT-In) now says it plans to give firms an additional three months to comply with the rules – or pull out of the country altogether.
The move comes following strong pushback, not only from the VPN providers and cloud service operators themselves, but also from cybersecurity experts and privacy advocates.
In a letter to CERT-IN and the Ministry of Electronics and IT yesterday, more than 20 people called for the introduction of the requirement to be delayed.
“We are deeply concerned by the Directions issued by CERT-In on April 28, 2022, and urge you to please defer their implementation, and initiate a process of in-depth public consultation aimed at modifying the Directions with inputs from all stakeholders and experts,” they write.
“It is crucial that CERT-In and MeitY ensure that the regulations advance systemic and user-centric approaches to cybersecurity, focusing on effective cyber incident response — which is also the specific, limited rulemaking power given to CERT-In by the Indian Parliament in this section of the Information Technology Act.”
The rules require providers to collect and store names, email addresses and phone numbers, along with the customer’s IP address. They will also have to record the period of hire – using the timestamp used at registration – the customer’s reason for using the service, and their ‘ownership pattern.
The potential penalties rise to imprisonment or a fine of Rs100,000 ($1,300).
“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy,” say the experts.
“We are cognisant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness, while endangering online privacy and security.”
A number of VPN providers have already pulled out of the country. ExpressVPN, for example, has shut down its two physical servers in India, although it continues to operate its two Indian virtual server locations. Proton and Surfshark, however, have been monitoring the situation while carrying on as normal.
The decision, however, is only a temporary reprieve, with the new rules scheduled to come into effect on September 25.