1. Introduction.
  2. Why new rules needed ?
  3. Discuss the possible implications.
  4. Conclusion – stating government response.

The Ministry of Electronics and Information Technology, issued new norms for Virtual Private Network (VPN) companies to record personal information of their users for a period of five years. They also have to record usage patterns, purpose of hiring services and various other information. Apart from VPN companies, data centers, virtual service network providers, cloud service providers have also been asked to record and maintain similar data in the form of Know Your Customer (KYC).

The need for new rules: These rules will “enhance overall cyber security posture and ensure safe & trusted internet in the country”. It noted that the Indian Computer Emergency Response Team (CERT-In), which serves as a safeguard against cyber-attacks, has identified “gaps” in analysing online threats, for which it has issued the new norms of reporting cyber incidents. Non-availability of data hampers analysis and investigation. In 2021, a Parliamentary Standing Committee, in a report to the Rajya Sabha, wanted the Ministry to block VPNs with assistance from internet service providers.

Implications: The fundamental USP of a VPN is that it ensures privacy. VPNs basically create a safe and secure connection while using a public network like the internet. In simple terms, they mask your online id which makes it difficult for third parties to track, steal and store your data.

So, the new rules could be problematic for VPN providers and their customers. Customers will have to go through a stringent KYC process and will have to state the purpose of using the services.  With the new rules, the government will have access to personal information of the customers which makes the use of a VPN redundant. This is relevant in the light of the ever-growing number of VPN users in India.

Many VPN providers are mulling the implications of the new rules and some have even threatened to withdraw their service from the country. For e.g., Nord VPN might pull out of India in a bid to stay committed to protecting its privacy. Proton VPN highlighted that  the new VPN regulations are an assault on privacy and threaten to put citizens under a surveillance.

The government has defended them as the need of the hour to “ensure stability and resilience of Cyber Space”. Amidst strong pushback from various corners, the Central government has warned the companies to either comply with rules or exit from India.

Legacy Editor Changed status to publish July 13, 2022