Explained: Indian government makes user data collection mandatory for VPNs

Explained: Indian government makes user data collection mandatory for VPNs
  • A new government directive will force virtual private networks (VPNs) to store user data for five years or longer.
  • The government took this decision on 28 April 2022 to curb cybercrime activities.
  • Here’s how it will affect users.
The Indian government has introduced a new IT policy that requires virtual private network companies (VPNs) to collect extensive customer data and maintain it for five years or more. The directive came from Computer Emergency Response Team, CERT-in. The new policy lists data centers and crypto exchanges under the same provision. The new policy will get into effect starting in late June 2022.

VPN companies will have to keep user information even after they delete their account or cancel their subscription. Companies will have to store user names, IP addresses, usage patterns, and other forms of identifiable information.

The vulnerabilities that CERT-in has asked to report include, fake mobile apps, data breaches, unauthorised access to social media accounts and many more.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
Usually, VPNs have a no-logging policy, companies operate only with RAM-disk servers and other log-less technology because of which they are incapable of monitoring data and usage.

Recently, India has put a heavy hand on online activities. Back in April, the Indian government banned 22 YouTube channels. In 2021, Twitter, Google, and Facebook had a standoff with the Indian government over control of social media content. Also, in 2020 government banned over 200 Chinese apps including TikTok.


According to the Ministry of Electronics and IT, the new policy aims to deal with the gaps that hinder the government in responding to certain cybercrime incidents.

How will the new policy affect the working of VPNs?
The key reason for using a VPN is to keep your IP address private. It allows customers to stay free of website trackers that track user data and location. Paid VPN offers a no-logging policy that gives full privacy as it operates on RAM-only serves. With the new change, VPN companies will be forced to store servers allowing them to log in user data and store it for five years or more. Switching to storage servers means higher costs for companies and user privacy will no more be the core functionality of these services.

The nitty-gritty of the policy is yet to be disclosed, there are chances that we might see some provision or alternative that ensures user privacy while keeping a log. While it seems unlikely, the only option is to wait and see how the VPN providers adjust to this policy.

What will happen if VPN services keep your data?
Once the VPN companies keep your data, they can access connection logs. They can keep track time when you connected to VPN and how long you were connected. Companies can access to IP address and server you originally connected to. With the enforcement of the new policy, VPN service providers can share your connection logs with law enforcement.

They can also access your usage logs, including a list of websites you visit, content or message you’ve sent or received, list of applications and services you are accessing through your device. Also, they can access your physical location.

Google India appoints former Modi think-tank official as policy head
Twitter fails to calm jittery advertisers over Musk plans at rushed sales showcase