Virtual Private Network (VPN) provider ExpressVPN on Thursday announced that it's removing Indian-based VPN servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In).
"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K."
The development comes as the CERT-In has enforced new controversial data retention requirements that are set to come into effect on June 27, 2022, and mandate VPN service providers to store subscribers' real names, contact details, and IP addresses assigned to them for at least five years.
The logged user data, CERT-In emphasized, will only be requested for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."
The agency has since clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to "general Internet subscribers/users."
"The new data law [...], intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users' online activity private," ExpressVPN said. "The law is also overreaching and so broad as to open up the window for potential abuse."
The rules, dubbed Cyber Security Directions, also mandate firms to report incidents of security lapses such as data breaches and ransomware attacks within six hours of noticing them.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.