India’s Computer Emergency Response Team (CERT-In) decided on Monday to extend the new privacy rules for data centers, Virtual Private Network (VPN) providers, Virtual Private Server (VPS) providers and Cloud Service providers by an additional three months. set.
The deadline to comply with the new privacy rules in India was to start on June 27, 2022, but has now been extended to September 25, 2022.
“It has been urged that the timelines for the implementation of these Cybersecurity Guidelines of April 28, 2022 related to micro, small and medium-sized enterprises (SMEs) be extended to allow reasonable time to generate capacity building needed for implementation of these guidelines,” CERT-In highlighted in its new notification on Monday.
“Extra time has also been sought to implement a subscriber/customer validation mechanism by data centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers.”
For the inexperienced, Cert-In issued Cyber Security Directions Data Centers, VPS providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers on April 28, 2022, requiring them to collect/store user information for at least five years – including after users no longer use the service – and transfer it to the agency. Anyone who refuses to comply risks a maximum prison sentence of one year.
The new rules required them to collect the following information:
- Validated names of subscribers/customers who hire the services
- Rental period including dates
- IPs assigned to/used by the members
- Email address and IP address and timestamp used at time of registration/on-boarding
- Target for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers who hire services
The new rules have rightly been criticized by VPN providers, cybersecurity experts and technologists, who said they would seriously weaken privacy and security for the Indian market.
Local cybersecurity experts from India and around the world have called for delay in compliance with the Travel directions issued April. They sent a joint letter to CERT and the Ministry of Electronics and Information Technology (MeiTY) on Monday warning them of the negative impact that the Travel directions would have on cybersecurity and privacy.
“The guidelines in their current form will have the unintended effect of undermining cybersecurity and the most important part of online privacy. We are aware of the need to create a framework for reporting cyber incidents, but the reporting deadlines and excessive holds set out in the Guidelines will have negative impacts in practice and hinder effectiveness, while affecting privacy and online security endanger,” they wrote.
Meanwhile, VPN providers such as NordVPN, Surfshark, ExpressVPN and PureVPN have already shut down their physical VPN servers in India, saying the new VPN rules violate the right to privacy protection.
The Indian government, for its part, has made it clear that it has no plans to relax the new rules, nor will it hold any public discussions on the subject.