Explained: What the new VPN rules means for internet users in India

NEW DELHI: India has passed a law that now demands all virtual private networks (VPN) service providers to store user data for at least five years. The national directive applies not only to VPN companies, but to cloud service providers, data centers and crypto exchanges, to collect specific, extensive customer data even if after users delete their account or cancel their subscription. Companies will have to store user names, IP addresses, usage patterns, other forms of identifiable information, and report “unauthorized access to social media accounts” as part of the directive. Those who do not comply could potentially face up to a year in prison.
The directive, issued by India’s cyber watchdog – the Indian Computer Emergency Response Team (CERT-In), meant to tackle cyvercrime, comes into effect on 27 June, 2022 and mandates VPN providers to maintain the following data as part of the know your customer (KYC) policy for five years:
Validated name of subscribers / customers
Period of hire
IPs allotted to the user
Email address, IP address and time stamp used at the time of registration
Purpose of hiring services
Validated address and contact numbers
Ownership pattern of the subscribers
Now, the primary aim of using a VPN is to keep one’s IP address private so users can stay clear of website trackers that track user data and location. With the new change, VPN companies will be forced to store servers and user privacy will no longer be a core functionality.
Point to note: Data from VPN adoption Index maintained by AtlasVPN, showed that India recorded more than 270 million VPN users in 2021, which is around 20% of the population. The usage of VPNs among smartphone users reached 25.27 per cent in the first six months of 2021 from 3.28 per cent population in 2020, as per data extracted from Google Play Store and Apple App Store by Sensor Tower. Also this: According to the Global VPN Usage Report 2020, India was the second-largest market for VPN, with 45% of internet usage happening through VPN, up from 38% in 2018.
What is the biggest USP of a VPN, especially for online transactions?
“VPNs hide your location and IP address when sharing an open network. They add another layer of encryption to your data, which means there are fewer chances of someone eavesdropping on your communications or intercepting private information like login credentials or passwords. This makes it very safe to access your bank account on public Wi-Fi, “said Murari Sridharan, CTO, BankBazaar.com.
A VPN will assign a user a temporary or a shadow IP address. Corporates usually use VPNs to allow employees to remotely log in to their work systems, without having to risk any sort of compromises that would put them in jeopardy.
According to Kaspersky, the primary job of a VPN is to hide your IP address from your ISP and other third parties. This allows you to send and receive information online without the risk of anyone but you and the VPN provider seeing it.
Via the VPN, all your data traffic is routed through an encrypted virtual tunnel. This disguises your IP address when you use the internet, making its location invisible to everyone. A VPN connection is also secure against external attacks. A VPN allows you to access regionally restricted content from anywhere in the world. Many streaming platforms are not available in every country. You can still access them using the VPN. People often turn to VPNs when their countries’ governments block useful applications. One of the most common examples are VoIP services – short for Voice over Internet Protocol, or in simple terms, phone services over the internet, such as WhatsApp, Telegram, Skype, etc.
Up until now, VPN providers in India did not store logs of your activities. Some providers may record your behavior, but do not pass this information on to third parties. This means that any potential record of your user behavior remains permanently hidden. But this is now set to change.
What are the repurcussions of the government move?
Money laundering will become tough
Stolen identities and banking fraud are very real concerns. While privacy is important for both VPN service providers and users to avoid being tracked, the government’s move will help to trace anti-social elements and cybercriminals indulging in various heinous activities online. The new regulation will also shut down for money laundering as with the rise in digital banking, VPNs were playing a big role in opening rooms to such illegal activities, “said Sucheta Mahapatra, MD India, Branch Personal Finance App.
Bank frauds and scams will dip
“India as a nation will definitely see a dip in cases with regard to bank frauds and scams due to the implementation of the new VPN regulations. Fraudsters and scammers will not be able to hide behind the mask of a VPN henceforth, and will be exposed for the crimes that they commit. The regulations will bring in much needed accountability and stability in the banking sector, “said Jahangir Panday, Co-founder and COO – Bridgeup.
But what does this imply for users?
User privacy dead
While VPNs will still remain legal, it will now be regulated in India. Moreover, VPN users are now at the risk of being targets of surveillance and loss of privacy.
“Users’ ability to rely on the privacy and anonymity offered by VPNs, data centers and cloud storage facilities for genuine and legitimate activities, may also be impacted. Also, with the rise in instances of large-scale data breaches at many technology companies, the user data stored by the service providers could always be at risk, “said Anupam Shukla, Partner, Pioneer Legal.
“The new VPN Rules could potentially violate the” Right to Privacy “of the customers, as enumerated under Article 21 as the rules direct the VPN providers to keep the personal data of users for 5 years or longer and the violation of which may tantamount to fine or jail term. Also, to comply with the same, all the VPN providers will have to amend their privacy policy and such unilateral amendments, post execution of contract, may violate the basic principles of Contract Act which may hamper the rights of the users “It will be rather interesting to see whether a direction for such collection of personal data will fall under the powers of Cert-IN as enunciated under 70B (4) of the IT Act,” said Ayush Sharma, Managing Partner of MS Law Paerners.
“By requiring VPNs to exhaustively maintain detailed records, they fundamentally undermine the privacy of users who seek to browse the internet without having state or private corporations monitoring their actions. The rules wrongly presume that those seeking anonymity have something to hide,” said Vrinda Bhandari , a Delhi-based lawyer.
Get ready for stricter KYC verification
The users / subscribers may also have to face stricter KYC verification process and will also be required to provide the reasons for hiring of services separately from their data being retained by service provider for a period of 5 years or more. With the increased cost of compliance, the service providers may also revise the rates for provisioning of services, said Rahul Goel, Partner, AnantLaw.
What are the legal implications?
Some VPN providers with servers in India are considering shutting down their servers in the country, but whether you can connect to the same VPN provider’s servers located in other countries is still a gray area.
“Although the directions are silent on their extraterritorial application, until further clarity on this by the government, it would be difficult to rule out the applicability of these directions on foreign body corporates having their networks located in India considering that the Information Technology Act, which is the parent legislation, has an extra-territorial applicability, “said Rishi Anand, Partner, DSK Legal.
“The security of a few internet users should not come at the cost of the privacy of the rest. Government should have implemented a robust data protection mechanism before introducing rules that mandate the collection of personal data by the service providers. Unfortunately, the long- awaited data privacy bill is nowhere in sight. These rules also impact the VPN service providers who offer a no-log policy, forcing these VPNs to either rework their entire technology or exit the country. The implementation may become challenging, considering the short period before the rules come into effect, “said Anupam Shukla, Partner, Pioneer Legal.
“In every business, players might be multiple but nature and ethics of business is the same and when that is compromised, the entire business model collapses.Same might happen with VPN which is gearing up to collide with the new VPN rules slated to come in place next month. While the basic idea behind VPN is to provide user anonymity, the rules force the players to store the data for 5 years and hand it to the Government when asked for. This is against the business policy of VPN providers and they are contemplating giving primacy to their policies rather than to directives and this might, as well, contribute to VPNs being declared illegal in India, “said Siddharth Jain, Co-Founding Partner, PSL Advocates & Solicitors.
The VPN service providers will now be required to report cyber incidents to CERT-In and also maintain all data including period of hire, IP addresses, ownership pattern etc for a period of 5 years. “This means that companies will be required to create dedicated cells within their IT departments to handle these requirements,” said Rahul Goel, Partner, AnantLaw.

.

Leave a Comment

Your email address will not be published.

%d bloggers like this: