VPN Providers Will Be Jailed In India If They Fail To Store Users’ Data: Strict Guidelines Issued

Companies offering Virtual Private Network, or VPN services have been directed by the Union government to collect and store information of Indian users for up to five years.

But isn’t VPNs all about clandestine browsing? Then what is the point of storing the information of the user.

The answer lies in the question itself. Since anything and everything has a scope of use as well as abuse. It is important that some prudence practiced. VPNs are no exception to these rules as well.

Though an average person may not cause a potential threat but then there are hackers who are a categorical threat. 

Curtail The Cybersecurity Threat

Since Virtual Private Networks allow users to mask their location and browse the internet without divulging their search history to the internet service providers, these are extensively used by hackers to access the websites which are banned in their respective countries.

Hence, in a set of directions issued on April 2 by the Indian Computer Emergency Response Team, also known as CERT-In, VPN providers in India now need to store names, addresses, contact numbers, period of subscription, email and IP address, and the client’s purpose of using their services among others. 

The CERT-In is India’s nodal agency on cyber security threats and works under the Ministry of Information Technology. The new directive which will come into effect from June-end and will also be applicable to cloud service providers and virtual private server providers.

According to the internet security services firm Norton, VPN services are currently regulated, or are completely banned, in only a few countries like Belarus, China, Iraq, North Korea, Oman, Russia, and the United Arab Emirates. 

Directions by India’s Nodal Agency, CERT-In

CERT-In said that cryptocurrency exchanges have also been directed to maintain a record of financial transactions of users for a period of five years.

In its order Certain said “The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years”.

The decision has been taken to ensure the security of payments and financial markets for citizens, while also “protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”, CERT-In stated in its directive.

The cyber security agency also said that any organization which fails to comply with the directions can face action under subsection (7) of section 70B of the Information Technology Act. The section has provisions of a jail term of one year, a fine of up to Rs 1 lakh, or both.