The deadline to comply with the Computer Emergency Response Team’s controversial new rules has been extended by three months, leaving small enterprises and virtual private network service providers in India to breathe a little easier, albeit not for long.
Earlier this year on April 28, a notice under Section 70B of the Information Technology Act was sent around asking VPN providers to keep user data for up to five years. In response, many of them pulled their servers from the country. Many other stakeholders in the industry asked for more time to comply with the new rules. Originally slated to come into force on June 28, they will now be enforced starting September 25.
The Ministry of Electronics and Information Technology released a statement saying that both it and CERT-In had received many requests to extend the timeline of the implementation of cybersecurity rules from April 28, 2022. The statement further said that it was extending the deadline keeping in mine the time that was needed for the “implementation of mechanisms for validation of subscribers/customers” by the various stakeholders in the industry. Meanwhile, the MSME sector has asked for a deadline extension of 300 days from June 28.
Also Read: Cloudflare outage: Why did it happen?
The rules have been widely criticized by Internet freedom watchdogs. The data that VPN providers must store includes their names, emails, usage patterns and even their IP addresses. VPN providers say that the data they’re being asked to keep is against their policy as it is a breach of policy, violating the point of such a service. Companies like NordVPN, ExpressVPN and Surfshark have pulled their servers after the ruling, but continue to offer “no logging” services, which don’t track data of the users on the platforms.
VPN providers aren’t the only ones who have been hit by the notice. Digital wallet providers as well as digital asset management companies will also be required to keep records of their financial transactions and know-your-customer records for five years.
The Internet Freedom Foundation, one of India’s Internet advocacy groups has called the new directions a bit to “undermine online privacy and security” of Indian users and that there should be a “complete recall” of the notice so that there can be public consultation on the matter.