Government Postpones Compliance Deadline for VPN Providers to Store, Share User Data to September 25

VPN service providers have been told to collect and store user information for five years or longer.

By Sourabh Kulesh | Updated: 28 June 2022 12:43 IST

Highlights

The first directive was issued on April 28
Time for generating capacity building for implementation sought
Non-compliance with the order may invite "punitive action"

Government Postpones Compliance Deadline for VPN Providers to Store, Share User Data to September 25

The cybersecurity directives were to come into effect on June 28

Photo Credit: Unsplash/ Petter Lagson

The Indian Computer Emergency Response Team (CERT-In) appointed by the Ministry of Electronics and Information Technology has extended the implementation date of its April 28 order in which it asked virtual private network (VPN) providers to register and preserve user information for at least five years. Additionally, the compliance deadline for all government and private agencies to mandatorily report cybersecurity breach incidents to it within six hours of noticing them has also been pushed forward. The order, which was to come into force on June 28, will now become effective on September 25, 2022.

In a new directive issued on Monday, CERT-In said that it has taken into consideration the extension of timelines sought by VPN service providers as well as Micro, Small and Medium Enterprises (MSMEs) for enforcement of Cyber Security Directions of April 28, 2022 issued under sub-section (6) of section 70B of the Information Technology Act, 2000.

Data centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers sought more time for validation of subscribers/customers. MSMEs sought more time for generating capacity building required for implementation of the cybersecurity directions. As mentioned, the compliance date for both these cybersecurity directives has been postponed to September 25, 2022.

VPN Providers Say 'No' to Share User Data Under Government's Directive

In the directive issued in April, VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — were ordered to register and maintain accurate information of their services for five years or longer “as mandated by the law after any cancellation or the registration as the case may be”.

The user information mentioned includes “the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.”

Furthermore, it was also directed that the service providers will have to present the information as called for by CERT-In — failing of which (or non-compliance with the order) may invite "punitive action" under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable.

CERT-In had also asked all government and private agencies, including Internet service providers, social media platforms, and data centres, to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.

Is Poco F4 5G a new best-of contender under Rs. 30,000? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.