Privacy India requires VPN Service Providers to log client activities and keep accurate information on them

On 28 April 2022, the Computer Emergency Response Team of India (CERT-In) issued directions under sub-section (6) of section 70B of the Information Technology Act of 2000, relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe & trusted Internet. The directions were set to be effective as from 60 days from the date of issue, i.e they became effective as from 27 June 2022.

These directions require Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to:

• synchronise their ICT systems clocks with the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL),
• report cyber incidents within 6 hours to CERT-In,
• designate a Point of Contact to interface with CERT-In,
• maintain logs for a period of 180 days,
• register the following information accurately and maintain them for a period of 5 years:
  a) validated names of subscribers / customers hiring the services,
  b) period of hire including dates,
  c) IPs allotted to / being used by the members,
  d) email address and IP address and time stamp used at the time of registration / on-boarding,
  e) purpose for hiring services,
  f) validated address and contact numbers,
  g) ownership pattern of subscribers / customers hiring services.

As a result of these privacy-shattering instructions, NordVPN has shut down its servers in India since 26 June 2022. However, NordVPN services are still available in India.

ExpressVPN says that it refuses to participate in the Indian government's attempts to limit Internet freedom.

They have removed their servers from India and instead they are providing VPN servers located in Singapore and the UK with Indian IP addresses. Users may select the VPN server location "India (via Singapore)" or "India (via UK)".