India has reaffirmed its commitment to new cybersecurity rules under a directive from the country’s computer emergency response team — known as Cert-In — that will force virtual private server providers, cloud service providers, and virtual private network service (VPN) providers to store customer information.
Service providers will be required to maintain a database that includes user IP addresses, names, period of subscription, user email addresses, validated addresses, and contact information.
India’s junior IT minister Rajeev Chandrasekhar released a frequently asked questions document on Wednesday addressing concerns aimed at the new rules — particularly around the requirement that tech companies provide information on data breaches to government within six hours of the incident occurring.
“The nature of user harms and risks in 2022 are different from what it used to be a decade back … Rapid and mandatory reporting of incidents is a must and a primary requirement for remedial action for ensuring stability and resilience of cyber space,” said Chandrasekhar.
According to Reuters, Chandrasekhar also said that tech companies should “pull out” of the country if they do not want to comply with the new government directive.
Meanwhile, VPN provider ProtonVPN expressed concerns regarding the new rules, claiming that the regulations are “an assault on privacy and threaten to put citizens under a microscope of surveillance”, and that the company remains committed to its “no-logs policy”.
The FAQ document states that those who do not comply with the rules, failing to provide the information as specified, will be punishable with imprisonment for a term of up to one year, fined up to ₹100,000, or both. The new rules are set to be enforced from the end of June after being first announced on April 28.