Explained: What the New VPN Rules Mean for Internet Users in India

NEW DELHI: India has passed a law that now requires all VPN (Virtual Private Networks) service providers to store user data for at least five years. The national directive does not only apply to: VPN businesses, but for cloud service providers, data centers and crypto exchanges, to collect specific, comprehensive customer data even after users delete their account or cancel their subscription. Companies will have to store usernames, I P addresses, usage patterns, other forms of identifiable information and report “unauthorized access to social media accounts” as part of the directive. If you do not follow the rules, you risk up to a year in prison.
The directive, issued by the Indian cyber watchdog – the Indian Computer Emergency Response Team (CERT-In), intended to tackle cybercrime, will come into effect on June 27, 2022 and will require VPN providers to retain the following data as part of the know your customer (KYC) policy for five years:
Validated subscriber/customer name
Rental period
IPs assigned to the user
Email address, IP address and timestamp used at time of registration
Purpose of hiring services
Validated address and contact numbers
Ownership pattern of the subscribers
Now the primary purpose of using a VPN is to keep one’s IP address private so that users can stay away from website trackers that track user data and location. With the new change, VPN companies will be forced to store servers and user privacy will no longer be a core functionality.
Point to note: Data from the VPN adoption index maintained by AtlasVPN showed that India registered more than 270 million VPN users in 2021, which is about 20% of the population. VPN use among smartphone users reached 25.27 percent in the first six months of 2021, compared to 3.28 percent of the population in 2020, according to data extracted from Google Play Store and Apple App Store by Sensor Tower. Also this: According to the Global VPN Usage Report 2020, India was the second largest market for VPN, with 45% of internet use via VPN, up from 38% in 2018.
What is the biggest USP of a VPN, especially for online transactions?
“VPNs hide your location and IP address when you share an open network. They add an extra layer of encryption to your data, meaning there is less chance of someone eavesdropping on your communications or intercepting private information such as login credentials or passwords. it’s very safe to access your bank account over public Wi-Fi,” said Murari Sridharan, CTO, BankBazaar.com.
A VPN assigns a user a temporary or shadow IP address. Companies typically use VPNs to allow employees to log into their work systems remotely, without any kind of compromise that could put them at risk.
According to Kaspersky, the primary job of a VPN is to hide your IP address from your ISP and other third parties. This allows you to send and receive information online without the risk of anyone other than you and the VPN provider seeing it.
Via the VPN, all your data traffic is routed through an encrypted virtual tunnel. This obscures your IP address when using the internet, making its location invisible to everyone. A VPN connection is also secured against outside attacks. With a VPN, you can access regionally restricted content from anywhere in the world. Many streaming platforms are not available in every country. You can still access it through the VPN. People often turn to VPNs when their country’s governments block useful applications. One of the most common examples is VoIP services – short for Voice over Internet Protocol, or in simple terms, telephone services over the Internet, such as WhatsApp, Telegram, Skype, etc.
Until now, VPN providers in India did not keep any logs of your activities. Some providers may record your behavior, but do not pass this information on to third parties. This means that any possible registration of your user behavior is permanently hidden. But that is now changing.
What are the consequences of the government’s decision?
Money laundering becomes difficult
Stolen identities and bank fraud are very real concerns. While privacy is important for both VPN service providers and users to avoid being tracked, the government’s move will help track down anti-social elements and cyber criminals indulging in various horrific activities online. The new regulations will also close the door to money laundering as with the rise of digital banking, VPNs have played a huge role in opening rooms for such illegal activity,” said Sucheta Mahapatra, MD India, Branch Personal Finance App.
Bank fraud and scams will decrease
“India as a nation is sure to see a dip in bank fraud and scam cases as a result of the implementation of the new VPN regulations. Fraudsters and scammers will no longer be able to hide behind the mask of a VPN and will be exposed for the crimes they commit. The regulations will bring much-needed accountability and stability to the banking sector,” said Jahangir Panday, Co-Founder and COO – Bridgeup.
But what does this mean for users?
User privacy dead
While VPNs still remain legal, it is now regulated in India. In addition, VPN users are now at risk of being targeted for surveillance and loss of privacy.
“Users’ ability to rely on the privacy and anonymity provided by VPNs, data centers, and cloud storage facilities for real and legitimate activities can also be impacted. Also, with the proliferation of large-scale data breaches at many technology companies, the user data held by the service providers stored can always be at risk,” says Anupam Shukla, Partner, Pioneer Legal
“The new VPN rules may potentially violate customers’ ‘Right to Privacy’ as listed in Article 21, as the rules instruct VPN providers to retain users’ personal data for 5 years or more and the violation of this To comply with this, all VPN providers will have to change their privacy policies and such unilateral changes, after execution of the contract, could violate the basic principles of the Contract Act which could hinder the rights of the users It will be quite It would be interesting to see if any direction for such collection of personal data will fall under Cert-IN’s remit as stated in 70B(4) of the IT Act,” said Ayush Sharma, Managing Partner of MS Law Paerners.
“By requiring VPNs to maintain granular records, they fundamentally undermine the privacy of users who wish to browse the Internet without state or private companies monitoring their actions. The rules erroneously assume that those who maintain anonymity looking for something to hide,” says Vrinda Bhandari. , a Delhi-based lawyer.
Get ready for stricter KYC verification
The users/subscribers may also have to deal with a stricter KYC verification process and also have to state the reasons for hiring services except that their data will be kept by the service provider for a period of 5 years or more. With the increased compliance costs, the service providers may also revise the rates for the provision of services, said Rahul Goel, Partner, AnantLaw.
What are the legal implications?
Some VPN providers with servers in India are considering shutting down their servers in the country, but whether you can connect to the same VPN provider’s servers in other countries is still a gray area.
“While the directions are silent on their extraterritorial application, until more clarity is provided by the government, it would be difficult to rule out the applicability of these directions to foreign legal entities that have their networks in India, as the Information Technology Act, that is the parent law, has an extraterritorial applicability,” said Rishi Anand, Partner, DSK Legal.
“The Safety of a Few” internet users should not be at the expense of the privacy of the rest. The government should have implemented a robust data protection mechanism before introducing rules requiring the collection of personal data by the service providers. Unfortunately, the long-awaited data privacy law is far from in sight. These rules also affect the VPN service providers that offer a no-log policy, forcing these VPNs to rework their entire technology or leave the country. Implementation can be challenging given the short period of time before the rules come into effect,” said Anupam Shukla, Partner, Pioneer Legal.
“There can be multiple players in any business, but the nature and ethics of business are the same and when that is compromised, the entire business model collapses. The same can happen with VPN, which is preparing to collide with the new VPN rules slated to come in next month While the basic idea behind VPN is to provide user anonymity, the rules force players to store the data for 5 years and hand it over to the government when prompted This violates VPN providers’ corporate policies and they are considering prioritizing their policies over guidelines and could also contribute to VPNs being declared illegal in India,” said Siddharth Jain, Co-Founder of PSL Advocates & Solicitors.
The VPN service providers are now required to report cyber incidents to CERT-In and also keep all data including rental period, IP addresses, ownership pattern, etc. for a period of 5 years. “This means that the companies have to create special cells within their IT departments to meet these requirements,” said Rahul Goel, Partner, AnantLaw.

Leave a Reply

Your email address will not be published.