India Delays Implementation of VPN Data-Collection Rule by 3 Months

pcmag.com:

India’s new policy that requires VPN services to log and potentially turn over data on their customers was supposed to go into effect on Monday, but the country has decided to push back the date by three months. 

The policy is now set to go into effect on Sept. 25. The Indian government settled on the new date, citing requests from companies asking for an extension. 

“Further, additional time has been sought for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” Indian authorities announced(Opens in a new window) on Tuesday. 

India introduced the policy back in May with the goal of helping the country fight cybercrime. Soon, all internet and cloud service providers will need to maintain logs of their systems, and report hacking incidents to India’s cyber authorities within six hours of detection.

However, India has also decided to apply the new policy to VPNs, which are designed to protect user’s privacy, not undermine it. The upcoming rules specifically call for all VPN providers serving users in the country to collect the IP addresses their subscribers use. Indian authorities can then request the data, along with a subscriber’s name, email address, and contact number. 

The IP address data, in particular, could be used to map out a VPN subscriber’s browsing history if it’s coupled with information from other web providers. As a result, at least five major VPN providers have decided to remove their physical VPN servers in the country, saying India's data collection policy goes too far.

On Monday, PureVPN told us: “We are a strict no-log company. While we do not