India will give VPN providers and cloud service operators an additional three months to comply with new rules that require they maintain names and addresses of their customers and their IP addresses, giving some relief to firms as many scramble to follow the new guidelines and some explore the option of leaving the South Asian market.
The Indian Computer Emergency Response Team, the body appointed by the government to protect India’s information infrastructure, said it is extending the enforcement of the new rules to September 25. The rules, unveiled in late April, was set to go into effect Monday.
CERT said it was extending the deadline because “additional time” had been sought by the industry players.
Its announcement follows sharp criticism from VPN providers, many of which including Nord and ExpressVPN, announced their intentions to remove local servers in the country.
Nearly two dozen cybersecurity experts and technologists from India and across the world sent a joint letter to CERT and Ministry of Electronics and IT on Monday, calling for the “dangerous CERT-In cybersecurity directions” to not be implemented.
“The Directions, as they stand, will have the unintended consequence of weakening cyber security, and its crucial component, online privacy. We are cognisant of the need for a framework to govern cyber incident reporting, but the reporting timelines and excessive data retention mandates prescribed in the Directions, will have negative implications in practice and impede effectiveness, while endangering online privacy and security,” they wrote.
CERT’s new directions require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” to store customers’ names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.
Lawmakers in India have made it clear that they have no intentions to relax the new rules.
Rajeev Chandrasekhar, the junior IT minister of India, said in a press conference last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country. The government, he said, will not be holding any public consultation on these rules.
The new rules also mandate firms to report incidents of security lapses such as data breaches within six hours of noticing such cases. Following pushback from advocacy groups, Chandrasekhar said last month that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that he said had stricter requirements.