The government on Wednesday asserted that the new CERT-In directives have to be followed by everybody, be it virtual private network (VPN) service providers, cloud service providers or others, and in case anyone does not want to abide by the rules, they are free to pull out from the country. The stern warning from the government came after a few VPN service providers threatened to leave the country in the wake of the new rules, which mandates storing data of users for a period of five years.
“There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out from the country, frankly, that is the only opportunity you will have. You will have to pull out,” minister of state for electronics and IT, Rajeev Chandrasekhar told reporters while releasing frequently asked questions (FAQs) regarding the rules.
Indian Computer Emergency Response Team (CERT-In), in its April 28 directive, has asked VPNs, cloud service providers, government & private agencies, intermediaries, data centres among others to store data of users for a period of five years. Apart from storing data, CERT-In has asked for mandatorily reporting cyber security breach incidents to it within six hours of noticing them. These directions will become effective after 60 days. Non-compliance of the new rules may attract penal provisions under the Information Technology (IT) Act.
The data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers are required to maintain basic information about customers — individual, partnership, association, company etc of whatsoever nature — who use their services with brief particulars of key management. The maintenance of such data in safe and secure manner is expected for all entities operating in India.
The logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time.
However, the government has clarified that this direction does not apply to enterprise/corporate VPNs. “No. For the purpose of this direction, VPN service provider refers to an entity that provides ‘Internet proxy like services’ through the use of VPN technologies, standard or proprietary, to general internet subscribers/users,” the government clarified in the FAQs.
Further, the new rules would not impact privacy of citizens. “The right to informational privacy of individuals is not affected….These directions do not envisage seeking of information by CERT-In from the service providers on continuous basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country. The service providers are bound to protect the users’ information by following reasonable security practices and procedures,” the FAQs explained.
Those service providers who do not have a physical presence in India, are required to designate a point of contact to liaise with CERT-In.