India’s Data Collection Rule Is Forcing Us Out – We’re Removing Our Indian Servers

India’s Computer Emergency Response Team (CERT-in) introduced a new directive that requires all VPN, VPS, and cloud providers to store sensitive user data for a minimum of five years. The directive is set to be enforced starting as June 27, 2022.

As a VPN provider, this directive would have us store and share user data with the Indian authorities. This practice contradicts our mission to deliver uncensored internet culture and online privacy. This is why we, the team behind CyberGhost VPN, have decided to remove our physical servers from India.

We’ve taken this decision because we absolutely refuse to monitor or store your usage data. Instead, we’ll be offering virtual server locations which you can use to access Indian content and get an Indian IP address.

Read on for all the details you need to know.

CyberGhost VPN Is Removing the India Servers and Offering an Alternative

Owning servers in India is no longer an option since it would require logging your data. This privacy-invasive practice goes against everything we stand for, not to mention the basic premise of our service. To protect our Ghosties’ online privacy, CyberGhost VPN is pulling out the Indian-based servers.

This doesn’t mean our service will no longer be available in India. It’s still possible and legal to use CyberGhost VPN within Indian borders. We’re also not leaving the people of India without the option to access domestic content, which is why we’re deploying virtual server locations for Mumbai, India.

We’re no strangers to virtual locations. We’ve been using virtual server locations for a while now, and we generally deploy them in countries where logging user data is mandated by law. This includes countries like Russia, China, and Saudi Arabia.

We’ve optimized our virtual server locations to provide you with a fast, stable, and reliable connection. As a result, you won’t notice a difference when you connect to an Indian IP address through the CyberGhost VPN apps. You’ll also still be able to access region-specific content, like Hotstar or Netflix India.

People in India can still use CyberGhost VPN to improve their privacy. Through virtualization, we’re not legally obligated to keep tabs on your online activity or personal information. We have a strict No Logs policy in place, and we’ll never compromise your digital privacy.

Our servers are RAM-only, and they’re secured with the highest encryption standards. Every reboot wipes them down, so there’s no data government authorities or law enforcement agencies can try to access.

All You Need to Know about India’s No. 20(3)/2022-CERT-In Directive

India’s Computer Emergency Response Team (CERT-in) introduced No. 20(3)/2022-CERT-in, which is a data collection directive. It requires online companies and service providers to store user activity and user data to be used in the event of cyber incidents and/or cybersecurity events.

That seems like a mouthful, so let me simplify. India’s IT ministry requires companies and any online service with physical servers within its jurisdiction to collect sensitive customer data. They also need to store this user data for at least 5 years, even if their customers are no longer using the services.

The Indian government claims this will help combat cybercrime and improve the response time for cybersecurity incidents.

Does This Directive Help Fight Cybercrime?

The Indian IT ministry says that this directive will help fight cybercrime and keep more people safe online. But is this true? It’s still too early to say, but the evidence would suggest “no.”

Look at Snowden’s revelations or the PRISM program which was used by the National Security Agency (NSA) to mass collect online user information for years after the tragedy of 9/11. The NSA acquired massive troves of user information through US service providers like Google, Facebook, Apple, and others. This way, PRISM stored:

          • IP addresses.
          • Usernames.
          • Browsing history.
          • Email logs.
          • Search history.
          • Contents of emails and chats.
          • Recording of VoIP calls.
          • Cloud-stored files.

NSA officials said they collected all this information to combat terrorism, but evidence shows they collected this data indiscriminately – the PRISM program led to just one convicted case. You read that right.

Jamshid Muhtorov was the only man convicted of supporting a foreign terrorist group with the help of PRISM’s data collection practices. Yet, millions of people have had their private online details scanned, stored, and monitored all in the name of state security.

The result of such widespread surveillance as we’ve seen with PRISM boils down to this: all that trove of data was never deleted and is still being shared with intelligence agencies around the world.

Do we have any indication that India’s No. 20(3)/2022-CERT-In will be any different? You can be the judge of whether year-long bulk data collection is an acceptable trade-off for such a small result.

What This Directive Means for Online Privacy in India

India doesn’t have a stellar history of upholding digital privacy rights.

    • ➡ In 2020, India temporarily banned TikTok, WeChat, and PUBG as a matter of “state security and public order”.
    • ➡ In 2021, the Indian government threatened Twitter employees with up to 7 years of jail if they refused to ban accounts associated with the Indian farmers’ protest or accounts expressing their dissatisfaction with how Indian authorities handles the Covid-19 pandemic.

Government-imposed internet shutdowns are not unheard of, especially in the Kashmir region. This led many to believe that the No. 20(3)/2022-CERT-In directive might be politically motivated. Under it, companies must report “unauthorized access to social media accounts.” It’s not clearly defined what that means, so many speculate this refers to banned social media platforms like TikTok.

Millions of people in India have long used VPNs to escape censorship, protect their data from surveillance, and bypass shutdowns. Now, the authorities are trying to weed out that option.

This data collection directive is a privacy nightmare. Unless companies can guarantee they have stellar cybersecurity practices in place, holding onto PII user data for such a long time is a disaster in the making.

Best case scenario: we’re looking at a lot more company-wide data breaches. Worst case scenario: India suffers the same fate as Ecuador did when almost the entire population had their personal information leaked.

Are VPNs Illegal Now in India?

As of now, there’s no clause in the directive that makes it illegal to use a VPN service. Both commercial and business VPNs remain legal. The only difference is that VPN providers are now under the legal obligation to retain user data for at least 5 years if they work with data centers in India.

Don’t let India’s IT ministry scare you out of securing your data. Use CyberGhost VPN to protect yourself against online surveillance and bypass censorship. We abide by our strict No Logs policy, which is why we’ve pulled our servers out of India to avoid complying with this new directive. We don’t monitor, collect, or store your data under any circumstances.

We’re also offering a work-around for those in India that want to surf with increased privacy but domestically. We have virtual server locations for Mumbai, India. These physical servers generating your Indian IPs are not within Indian borders, so they do not have to comply with the No. 20(3)/2022-CERT-In rule. Instead, they give you an Indian IP address while encrypting your data and securing your internet traffic from prying eyes.

Should I Use a VPN in India?

We went through how India’s No. 20(3)/2022-CERT-in will require VPN companies to store PII user data, and what we’re doing to continue to secure your privacy. But here’s the thing: VPN and VPS providers are not the only companies in India that, by law, need to store your information.

The directive only names VPN, VPS, and cloud services by name, but doesn’t specify what falls under “online service provider”. The assumption you can make is that every company that can store your information in India will be forced to do so – this is because the directive clearly mentions data centers.

Screenshot of India's data collection directive highlighting that data centers need to comply

In this case, it’s best to err on the side of caution, and get a trustworthy VPN to secure your data.

CyberGhost VPN no longer has servers within Indian borders and can’t be subjected to this data collection directive. That said, we do offer Indian IPs, so VPN you won’t be locked out of regional content either. We set up virtual server locations that will give you an Indian IP address and enable access to the sites you know and love free of censorship and restrictions.

Get CyberGhost VPN and enjoy:

It’s all completely risk-free with our 45-day money-back guarantee!

FAQ

Do VPNs in India collect user data?

On April 28 2022, India’s Computer Emergency Response Team (CERT-in) announced 20(3)/2022-CERT-In, a data collection directive. This new directive goes into effect June 27, 2022, and it requires online service providers to collect and store sensitive user data. This ruling pertains to VPN providers that are registered in India and/or have servers in India.

Reputable VPNs like CyberGhost pulled servers out of India to maintain a legally compliant No Logs service. If you want to improve your privacy online, get CyberGhost VPN to protect your data from all prying eyes, including India’s IT ministry.

What personal information do Indian companies have to log?

Indian companies have to log specific information based on the service they provide. Those that provide online services generally collect your:

          • Name and/or username.
          • Subscription information.
          • Payment information.
          • IPs used and connection timestamps.
          • Email addresses, phone numbers, and other contact information.
          • User activity and/or browsing history.

Even if you cancel your subscription, the company needs to store your data for at least half a decade.

Are VPNs still legal in India?

India’s new directive No. 20(3)/2022-CERT-In will require VPN providers and cloud service providers to store personally identifiable information (PII). It doesn’t outlaw VPN or cloud services, which means that it’s still legal to connect to a VPN while you’re in India.

That said, if you want help masking your identity online, you need a service like CyberGhost VPN that doesn’t monitor or store your data. We removed our physical VPN servers in India so our service doesn’t fall under the data collection requirements this new directive poses.

Should I use a VPN in India?

Companies and data centers in India have to collect and store your private details. The Indian IT ministry now wants VPN companies to collect data, too. The only way that can enforce this is by forcing VPN companies to log information on VPN servers that are within Indian borders. This is why trustworthy services like CyberGhost VPN removed their Indian servers. Instead, we now offer virtual server location that gives you an Indian IP address.

Caution: stay away from free VPNs. Even before this new directive, many free VPNs monitored user traffic and sold their customers’ information to data brokers. Now, they are legally required to store your information for at least 5 years, so there’s no telling where your data can end up.

What is the best VPN for privacy?

Your go-to choice for online privacy should be CyberGhost VPN. Our VPN apps seal every bit of your data behind military-grade encryption and hide your IP address to make you untraceable online. No one can track what you do online, and no one can keep tabs on you anymore.

Every day we offer our community of over 38 million safe VPN connections a reliable service, and the tools to evade online censorship. Try it out risk-free with our 45-day money-back guarantee!

Leave a comment

hi

The freelancing work that i do require me to use a US ip address as such would need to log in to a US vpn from India

will the new vpn law affect me after june 28th if i enroll for cyberghost vpn. I just need to show that the computer has a US ip address while working for a US based client.

Reply

Hi AD. We’ve taken the necessary measures from our side, so you can use an US IP address with no issues. We abide by our strict No Logs policy. We don’t monitor what you do online, and we’ll never share your data with any government bodies. India’s new data collection rule won’t affect you if you use CyberGhost VPN.

Write a comment

Your email address will not be published. Required fields are marked*