Any VPN with servers in India must now store activity logs on users

Many leading VPN providers have already left the country

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Update:As of June 28, Indian authorities have extended the deadline for VPNs to leave or amend logging practices toSeptember 25(link heads to The Indian Express).

AllVPNservices running servers in India must now comply with a new data law that has now officially come into force.

According to new CERT-In regulations, security software companies are legally obligated to store users' data - likeIP addresses, real names and usage patterns - for up to five years. They will also be required to hand this information over to authorities upon request.

Since the government announcement was released on April 28, internet users, privacy advocacy and cybersecurity experts have been expressing concerns on how these regulations will have anegative impact on people’s privacy.

All this has led to some of thebest VPNservices taking drastic measures in order not to compromise privacy values and to continue safeguarding the anonymity of their users.

While countries' laws and legislations change, our priority to safeguard user privacy remains. Therefore, in light of India’s upcoming data collection directive, we’ll be removing our India-based servers. Despite this, users in India will be able to continue using our services.June 23, 2022

Why is India’s new data retention law controversial?

Short for virtual private network, a VPN is security software that protects people’s privacy by masking their real IP location while securing their data inside anencrypted tunnel.

For safeguarding users' anonymity, themost private VPNservices around all enforce strict no-log policies. This means that no user data can be stored, leaked or shared. This is exactly the reason why an obligation to retain customers' logs is, asExpressVPNdescribed, ‘incompatible with the purpose of VPNs.’

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

What’s more,India’s new data retention lawdoesn’t affect only VPNs.Cloud storage services, virtual private servers (VPS), data centers, and cryptocurrency exchanges are all targets of the new CERT-In regulations.

The move comes in an effort to clamp down on ever-growing incidence of cybercrime. With more than 86 million data breaches in 2021, India was thethird most affected nation worldwidelast year.

However, asSurfsharkexplained in anofficial statement: “Collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”

At the same time, India has been found responsible for106 out of 180 internet shutdowns executed in 2021- according to digital rights campaigner Access Now. Not to mention backsliding media freedom and the allegations that theIndian government used Pegasus technologyto spy on activists, politicians and lawyers.

With such a track record, it’s not difficult to understand why citizens and experts fear that authorities might abuse this data-grab to foster intrusive mass surveillance practices and undermine civil liberties.

Not just privacy is at risk, though. India’s new data law might damage the IT sector’s growth in the country. As Future Market Insights COO Sudip Sahatold TechRadar: “Bans on VPNs will primarily hurt corporate interests by acting as a disincentive to investments and doing business in India.”

How VPN providers are planning to protect users' privacy

Many VPN providers have taken a stand against the Indian government’s decision, expressing their commitment in their company’s values.

Some of those have decided togo virtual to protect the privacy of users. How? They set upvirtual locationsso that people in India can still connect to a spoofed Indian IP. These offers the same functionality, but users' data will be safe as their connection will be rerouted to servers physically located outside the country’s borders.

Providers that are now offering virtual India locations includeExpressVPN,Surfshark,CyberGhost,Private Internet Access (PIA)andPureVPN.

Some, likeIPVanish, are thinking of offering something similar in the future. However, at the time of writing, Indian virtual locations haven’t been announced yet.

Others, despite shutting down their Indian servers, claim not to have any plans to introduce fake locations. These includeNordVPN,Hide.meandAtlasVPN.

As Laura Tyrylyte from NordVPN told us: “We believe that we are going to find a way to meet the requirements of all of our customers, regardless of their location.”

ProtonVPNalso expressed its dissent over new CERT-In regulations, suggesting secure ways ofconnecting to VPN servers in high-risk countries. These include the use of one of itsSecure Coreservers to benefit of an extra layer of encryption.

At the same time,Windscribesaid that it is planning to keep its Indian servers, ‘unless our Indian hosting providers force us to vacate.’

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

3 reasons why PIA fell in our best VPN rankings

Is it still worth using Proton VPN Free?

Quordle today – hints and answers for Saturday, November 9 (game #1020)