The Indian Computer Emergency Response Team (CERT-In) on Monday decided to postpone its new privacy rules for Data Centers, Virtual Private Network (VPN) providers, Virtual Private Server (VPS) providers, and Cloud Service providers, for another three months.
The deadline to comply with the new privacy rules in India was set to become effective on June 27, 2022, but now has been extended to September 25, 2022.
“The extension of timelines for implementation of these Cyber Security Directions of 28th April 2022 have been urged in respect of Micro, Small and Medium Enterprises (MSMEs) for providing reasonable time for generating capacity building required for the implementation of these Directions,” CERT-In highlighted in its new notification on Monday.
“Also additional time has been sought as well for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers.”
For the unversed, on April 28, 2022, the Cert-In issued Cyber Security Directions Data Centres, VPS providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers, which requires them to collect/store user information for at least five years – even after users stop using the service – and hand it over to the agency. Those who refuse to comply may face up to a year in prison.
The new rules needed them to collect the following information:
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to / being used by the members
- Email address and IP address and time stamp used at the time of registration / on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers / customers hiring services
Justifiably, the new rules were widely criticized by VPN providers, cybersecurity experts, and technologists, saying they would severely weaken privacy and security for the Indian market.
Local cybersecurity experts from India and around the world have called for a deferral of compliance with the Directions issued in April. They have sent a joint letter to CERT and the Ministry of Electronics and Information Technology (MeiTY) on Monday, warning them of the negative impact that the Directions would have on cybersecurity and privacy.
“The directions in their current form will have the unintended consequence of undermining cybersecurity and its key component of online privacy. We are aware of the need to create a framework for reporting cyber incidents, but the reporting deadlines and excessive data retention orders set out in the Guidelines will have negative consequences in practice and hamper effectiveness, while threatening privacy and online security,” they wrote.
Meanwhile, VPN providers like NordVPN, Surfshark, ExpressVPN, and PureVPN have already shut down their physical VPN servers in India, as they feel the new VPN rules violate the right to privacy protection.
As for its part, the Indian government has made it clear that they have no intention of relaxing the new rules and would not hold public discussions on the subject either.