In India, virtual private network companies will be required to collect extensive customer data—and maintain it for five years or more—under a new national directive from the country’s Computer Emergency Response Team, known as CERT-in. It’s a policy that will likely make life more difficult for both VPN companies and VPN users there.
The body, under the country’s Ministry of Electronics and IT, announced Thursday that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entracker, those who don’t comply could potentially face up to a year in prison under the governing law cited in the new directive.
The directive isn’t limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users’ “unauthorized access to social media accounts.”
A snag in the Indian government’s plan is that most VPNs have a ‘no-logs policy’ or at the very least, only keep user data temporarily. As a result of CERT-in’s new directions, many VPN providers and other IT companies could potentially stop doing business in India as they can no longer legally operate in the country.
The ministry’s full directive is slated to take effect on June 27, although the government may delay implementation to allow time for wider compliance.