As part of the government’s crackdown on cybercrime, India has introduced strict new rules on the handling of digital data by VPN operators in the region. Among these measures, directive n° 20(3)/2022-CERT-In enforces the retention of personal information from 27 June 2022. Considering this decision an invasion of privacy, major VPN providers such as Express VPN, and more recently AIP formalize their withdrawal from the country.

Major VPN Providers Out of India

On 28 April 2022, Government of India Computer Emergency Response Team (CERT-In), released the new VPN Operation Policy. The directive implies the recording of a lot of personal data for at least 5 years.

In support of this, the Minister of State for Electronics and Computers, Rajeev Chandrasekhar, has issued a formal notice to operators seeking to circumvent the law. According to its statement, companies with physical servers in India must comply or leave India.

Since then, VPN companies active in the region have successively rushed out. NordVPN was one of the first to announce its departure. ” Our Indian servers will remain until June 26, 2022. To ensure that our users are aware of this decision, we will be sending a notification with all the information through the NordVPN app from June 20. As advocates of digital privacy and security, we are concerned about the possible impact these regulations have on people’s data. ‘, then told Laura Tyrylyte, head of public relations for the company.

At the same time, Matt Fossen of Proton VPN admitted to monitoring the situation before establishing the company’s commitment to policy ” no logging Other companies also followed suit, namely ExpressVPN, SurfShark, Hide.me and PIA (Private Internet Access).

The body of directive N°20(3)/2022-CERT-In includes an impressive list of steps for storing customer data.

The document details the information to be collected as follows:

• Name of customer/validated customer who hired the service
• Rental period including date
• IP assigned to/used by members
• Email address, IP address and timestamp used during registration/onboarding
• Purpose of hiring services
• Validated address and contact number
• Customer/customer recruitment service ownership model

Through this “deterrence”, the Indian government is particularly working to strengthen digital security in the face of the rise of piracy, media poisoning and money laundering. However, this provision distorts the VPN’s main function of ensuring privacy. This was stated by Prateek Waghre, an activist at a digital citizen rights organization in Delhi.

” It is true that there is a clear need for better cybersecurity […] But if you demand large-scale data collection, everyone is at risk – and the risk is even greater for those who are already at risk, such as activists, journalists, dissidents and minorities. “, he explained.