CERT-In Extends Deadline For VPN Firms To Comply With Its Mandate Of Storing User Details

CERT-In has announced a new deadline of September 25 to comply with the new directive that makes it mandatory for VPN brands in India to collect and store extensive user data for at least five years.

By : ABP News Bureau | Updated at : 29 Jun 2022 04:28 PM (IST)

CERT-In extends new privacy rules for VPN providers to September 25 CERT-In Extends Deadline For VPN Firms To Comply With Its Mandate Of Storing User Details

The mandate for VPN companies includes maintaining all consumer's details. Image: Getty

In a short breather for virtual private network (VPN) companies in India, the Indian Computer Emergency Response Team (CERT-In) has announced a new deadline of September 25 to comply with the new directive that makes it mandatory for VPN brands in India to collect and store extensive user data for at least five years, citing objectives like fighting cybercrime and invoking the country's integrity and sovereignty.

Also read: Will New CERT-In Rules Affect Users And VPN Players? Here's What NordVPN And Experts Say

The country's nodal agency that deals with cyber security threats, hacking and phishing had in April announced a deadline of June 28 (today) to comply with the new deadline of cybersecurity directives for VPNs, MSMEs and data centres. Data centres, VPS providers, cloud service providers and VPN service providers are also given additional time for implementation of mechanisms relating to validation aspects of subscribers/customers' details, said CERT-In.

Also read: After ExpressVPN, Surfshark Shuts Down Servers In India In Response To New Rules

"...The matter has been considered by CERT-In and it has been decided to provide extension till 25 September, 2022 to Micro, Small and Medium Enterprises (MSMEs) in order to enable them to build capacity required for the implementation of the Cyber Security Directions. In addition, Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers are also provided with additional time till 25 September, 2022 for implementation of mechanisms relating to the validation aspects of the of subscribers/customers details," CERT-In said in a statement.

The mandate for VPN companies includes maintaining all consumer's details, the purpose behind using the VPN services and the faux and original IP addresses and the decision is likely to hurt VPN companies as maintaining privacy is the key USP. The new CERT-In rules come into effect next month. Even as the government-appointed nodal agency's directive is aimed at strengthening the country's cyber security it raises a pertinent question of privacy as VPN companies cater to users who want to conceal their identity.

The announcement has led to leading VPN companies like NordVPN and ExpressVPN shutting their servers from India.