CENTRE ASKS VPN SERVICES TO LOG, HAND OVER CUSTOMER DATA
NEW DELHI: Soon, companies offering virtual private network (VPN) or cloud services in India may be required to collect, as well as maintain, extensive and “accurate” data of their consumers for five years under Union ministry of electronics and information technology’s (Meity) cybersecurity policy.
The new directives from India’s Computer Emergency Response Team (CERT-IN), the government’s nodal agency for detecting and responding to cyber incidents, may have farreaching ramifications on how VPN services are offered and used in the country. “The failure to furnish the information or non-compliance with the...directions, may invite punitive action,” the order dated April 28 said. The policy, details of which were first reported by HT last week, will come into effect within 60 days of the order.
It states that all cloud service providers and VPN providers will be required to maintain extensive customer information, including validated names, address, contact number, email address and IPS, for at least five years. The rules will also apply to data centres, virtual private server (VPS) providers. The companies will have to maintain all customer information even after “any cancellation or withdrawal of the registration.”