The Indian government is giving VPN and cloud service providers an additional three months to comply with the logging requirement. The new rules would officially apply from Monday. By delaying the entry into force for three months, India wants to give companies more time to comply with the new rules.
That writes the American tech site TechCrunch.
India announces strict logging rules
In late April, India said new legislation for VPN and VPS providers, data centres and cloud service providers was on the way. The government demanded that these companies keep logs of their systems from June 27. They had to register, among other things, who used their services, the start and end dates of a subscription, the original IP address of users, email addresses, contact details, financial transactions and account cancellation dates.
The Indian government demands that the above data be kept for five years after the termination of an account. The log files of the computer systems must be kept for 180 days in India. If necessary, this data should be handed over to the Indian Computer Emergency Response Team (CERT-In). Finally, tech companies are required to report a serious security problem, cyber attack, data breach or data theft within six hours.
After the decision, one VPN provider after another announced the removal of their location servers in India. It started with ExpressVPN, followed by Surfshark and Private Internet Access (PIA).
Tech companies fear ‘weakening cybersecurity and online privacy’
According to TechCrunch, CERT-In announced Monday evening that the enforcement of the logging rules will be postponed by three months. This means that the new regulations will not come into effect until September 25. The deadline has been pushed back because the companies had asked for “extra time” in a joint letter.
The letter was addressed to CERT-In and the Ministry of Electronics and IT. The signatories asked the department not to implement the “dangerous cybersecurity guidelines”. “Current instructions will inadvertently weaken cybersecurity and its critical component, online privacy,” they write.
The signatories continue their story. “We are aware of the need for a framework for reporting cyber incidents, but the deadlines prescribed in the instructions for reporting and excessive data retention will have negative impacts in practice and hinder effectiveness while compromising online privacy. and endanger safety.”
Minister calls reporting obligation ‘very generous’
Rajeev Chandrasekhar, the electronics and IT minister, said last month that VPN providers seeking to disguise the identities of their users “will have to withdraw” from India. He also made it clear that he didn’t feel like discussing the new rules. He also said he found the six-hour reporting requirement “very generous”. The minister emphasized that Indonesia and Singapore are stricter with the reporting obligation.
In the European Union, companies and organizations have 72 hours to report a data breach or ‘report of a personal data breach to the national regulator. This is laid down in Article 33 of the General Data Protection Regulation (GDPR).
Catch up on more articles here
Follow us on Twitter here