New VPN regulations in India, is it a threat to users’ privacy ?

Published in

Linux Shots

3 min readJun 16, 2022

On April 28th, 2022, CERT-IN, Ministry of Electronics and IT, India, has issued a direction to VPN providers to collect and store users’ data including their IP address, contact numbers, email id, purpose of hiring service, timestamp of registration and ownership pattern, for at least 5 years.

CERT-IN’s directions are applicable to all VPN providers having their servers hosted in India and all service providers, data centers, intermediaries, Cloud service and VPS providers and Virtual asset providers. Although, CERT-IN has clarified that this regulation will not be applicable to Enterprise or corporate VPNs.

Regulations are set to come into effect from 27th June 2022.

Image Source: https://www.mydigitalfc.com/fc-weekend/privacy-vs-snooping

How does it affect VPN providers ?

VPN is virtual private network used by privacy-conscious users which prevents ISPs and other internet providers from collecting Internet usage data. It prevents users’ IP address and usage pattern from being tracked by websites, cyber-criminals or any law enforcement agencies.

Sole purpose of VPN is anonymity. Almost all VPNs have a no-log policy to ensure users’ anonymity and privacy and this is their primary market selling point / USP. With new regulations, they will be obliged to store the logs of their customers and their IP addresses for at least 5 years, if they want to continue in India. Failing to which will attract penalties and makes them illegal entity in India.

Many top VPN service providers, like, ExpressVPN, Surf Shark and NordVPN have stick to their no-log policy and planned to remove their server from India.

India currently has over 270 million VPN users (around 20% of population). With this new regulations, VPN providers are certainly going to lose a good market.

How does it affect Indian users ?

Logging of users’ usage data and IP address makes VPNs irrelevant. All the activities an Indian user do on Internet will be recorded and kept by ISPs, VPNs (who continues to stay in India), cloud providers and data centers for 5 years.

Which other countries have such regulations ?

India is not the only one or first one to implement the ban or control on VPNs. India is going to join China, UAE, North Korea and few others on banning or controlling VPN usage.