All VPN services running servers in India must now comply with a new data law that has now officially come into effect.
Under the new CERT-In regulations, security software vendors are legally required to store user data, such as IP addresses, real names, and usage patterns, for up to five years. They will also be required to hand over this information to authorities upon request.
Since the publication of the government announcement on April 28, Internet users, privacy and cybersecurity experts have expressed concern about the negative impact of these regulations on people's privacy.
All this has led some of the best VPN services to take drastic measures in order not to compromise privacy values and continue to protect the anonymity of their users.
Although the laws and legislation of countries change, our priority to protect user privacy remains. Therefore, in light of the upcoming India Data Collection Directive, we will be removing our India-based servers. Despite this, users in India will still be able to use our services June 23, 2022
Read more
Why is India's new data retention law controversial?
Short for Virtual Private Network, a VPN is security software that protects people's privacy by hiding their real IP location while protecting their data within an encrypted tunnel.
To protect user anonymity, most private VPN services have strict no-logging policies. This means that no user data can be stored, disclosed or shared. This is exactly why asking for customer records is, as ExpressVPN described it, "inconsistent with the purpose of VPNs - opens in a new tab."
Also, India's new data retention law doesn't just affect VPNs. Cloud storage services, virtual private servers (VPS), data centers, and cryptocurrency exchanges are targets of the new CERT-In regulations.
This move comes in an attempt to curb the rising incidence of cybercrime. With over 86 million data breaches in 2021, India was the third most affected country in the world (opens in a new tab) last year.
However, as Surfshark explained in an official statement (opens in a new tab): "The collection of excessive amounts of data within Indian jurisdiction without strong safeguards could lead to more breaches at the national level."
Meanwhile, India was found responsible for 106 of the 180 internet blackouts in 2021 (opens in a new tab), according to digital rights activist Access Now. Not to mention the rollback of press freedom and accusations that the Indian government used Pegasus technology to spy on activists, politicians and lawyers.
With such a record, it is not hard to see why citizens and experts fear that authorities will misuse this data capture to encourage intrusive mass surveillance practices and undermine civil liberties.
However, privacy is not the only one at risk. India's new data law could hurt the growth of the IT sector in the country. As Sudip Saha, COO of Future Market Insights, told TechRadar, "VPN bans will mainly harm corporate interests by discouraging investment and business in India."
How VPN providers plan to protect user privacy
Many VPN providers have opposed the Indian government's decision, expressing their commitment to their company values.
Some of them have decided to go virtual to protect the privacy of users. How? They have set up virtual locations so that people in India can still connect to a spoofed Indian IP address. These offer the same functionality, but user data will be safe as their connection will be redirected to servers physically located outside the country's borders.
Providers now offering virtual locations in India include ExpressVPN, Surfshark, CyberGhost, Private Internet Access (PIA), and PureVPN.
Some, like IPVanish, plan to offer something similar in the future. However, at the time of writing, the Indian virtual locations have yet to be announced.
Others, despite shutting down their Indian servers, say they have no intention of introducing fake locations. These include NordVPN, Hide.me, and AtlasVPN.
As NordVPN's Laura Tyrylyte told us, "We believe we're going to find a way to meet the demands of all of our customers, regardless of their location."
ProtonVPN also disagreed with the new CERT-In regulations and suggested secure ways to connect to VPN servers in high-risk countries (opens in a new tab). These include the use of one of their Secure Core servers for an additional layer of encryption.
At the same time, Windscribe said it plans to keep its Indian servers, "unless our Indian hosts force us to quit."
Compare the best Indian VPN services right now: