Indian VPN Companies Ordered To Collect And Store User Data For At Least 5 Years: Know What This Means

New Delhi: India's Computer Emergency Response Team or CERT-in has asked VPN companies to collect and store extensive user data for at least five years, as it aims to reduce the gaps in responding to cybersecurity incidents. VPN providers will be required to collect and turn over user data that includes IP addresses assigned to users. The national agency that falls under the Ministry of Electronics and IT has also issued the directive for VPN companies as well as cloud service providers and data centres, the media has reported.

"During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000," the agency said in a statement.

Also read: Foxconn Starts Early Recruitment As Apple Preps For iPhone 14's Production Earlier Than Usual

The new governing law applicable to VPN providers comes into effect after a period of 60 days and failing to meet the demands could lead to imprisonment of up to a year, as per the new directive.

Also read: Redmi Pad 5 Android Tablet May Launch In India Soon, May Be Priced Under Rs 25,000

"The directions cover aspects relating to synchronization of ICT system clocks; mandatory reporting of cyber incidents to CERT-In; maintenance of logs of ICT systems; subscriber/customer registrations details by Data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers. These directions shall enhance the overall cyber security posture and ensure safe and trusted Internet in the country," CERT-In added.

Read more: JBL Tune 230 NC And JBL Tune 130 NC With 40 Hours Playback Time Launched In India

It is being said that the move will make it difficult for VPN providers as currently, they offer complete privacy to users by not collecting and sharing their data and offering a no-logging policy. The VPN companies also function on RAM-only servers, thus, storing the data only temporarily.