After Surfshark and ExpressVPN, Panama-based virtual private network (VPN) service provider NordVPN has decided to remove its servers from India, citing the April 29 directions of the Indian Computer Emergency Response Team (CERT-In), the company said in a statement to Moneycontrol.
The VPN service provider said it would remove its servers on June 26, a day before the directions came into force.
“As one of the industry leaders, we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards. Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN, told in a statement to Moneycontrol. She added that consumers would be notified through the app from June 20.
The April 29 directions bring in additional compliance requirements for all body corporates whose users are in India. It has been criticized by industry and civil society alike. However, VPN service providers, including NordVPN and others, have slammed it, citing privacy concerns arising from requirements that mandate service providers to log customer details, IP addresses allotted, etc., for some time.
Tyrylte said that the regulation would increase the storage of private information and would directly impact citizens’ data. She said, “As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies,” she said.
She also drew parallels between authoritarian governments’ CERT-In directions and regulations and asserted that the rules would hurt people’s privacy.
“In the past, authoritarian governments typically introduced similar regulations to gain more control over their citizens. If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech. One way or another, this law will likely hurt people’s privacy and digital security,” she added.
ExpressVPN and Surfshark
On June 2, ExpressVPN, announcing that it has removed its India servers from the country, termed the CERT-In guidelines as “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.”
Five days later, on June 7, Surfshark announced that they too would be shutting down its servers in the country.
Gytis Malinauskas, Head of Legal at Surfshark, said, “The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base.”
The ambit of CERT-In directions
It is unlikely that NordVPN, ExpressVPN, or Surfshark will be outside the ambit of the CERT-In directions because they have removed their servers from India.
In the FAQs issued by the Ministry of Electronics and Information Technology (Meity) on CERT-In directions, the agency had clarified that the laws “apply to any entity whatsoever, in the matter of cyber and cyber security incidents.” In another FAQ on whether the rules apply to service providers not located in India but catering to Indian users, CERT-In reiterated the same.
The FAQs had also clarified that the directions would not apply to enterprise and corporate VPNs.
Last month, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar warned VPN companies that they are free to leave the country if they do not follow the directions.
Chandrasekhar, addressing a press conference on the clarifications issued by CERT-In on the April 28 directions, said, “There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining their logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”
Last week, in a meeting chaired by Chandrasekhar, MeitY said it was considering relaxations for MSMEs and startups from the CERT-In directions. It also clarified other provisions of the rules, including the cybersecurity reporting mandate and so on, which have caused concerns in the industry.