The Indian government directive mandates VPN providers to store information about their customers for up to five years. Credit: Putilich / Getty Images VPN provider Surfshark became the latest company to pull its servers from India this week, in response to government attempts to regulate encrypted web traffic. The new directive by India’s top cybersecurity agency, the Indian Computer Emergency Response Team (Cert-In), requires VPN, Virtual Private Server (VPS) and cloud service providers to store customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years. SurfShark announced on Wednesday in a post titled “Surfshark shuts down servers in India in response to data law,” that it “proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company.” SurfShark is not the first VPN provider to pull its servers from the country following the directive. ExpressVPN also decided to take the same step just last week, and NordVPN has also warned that it will be removing physical servers if the directives are not reversed. New VPN regulations “lack clarity” Like many businesses around the world, Indian companies have increased their reliance on VPNs since the COVID-19 pandemic forced many employees to work from home. VPN adoption grew to allow employees to access sensitive data remotely, even as companies started adopting other secure means to allow remote access such as Zero Trust Network Access and Smart DNS solutions. A report from Atlas VPN highlights that the VPN penetration rate in India moved from 3% in 2020 to over 25% in first half of 2021, growing at the fastest rate globally with a staggering 348.7 million installs, representing a growth of 671% over 2020. “This will have a major impact on Indian businesses since these provisions could make it difficult for them to support employees working remotely, which has been the case since the COVID pandemic,” Prasanth Sugathan, a partner at law firm Sugathan and Associates said. The directive issued by Cert-In on April 28 also states that cybersecurity breaches must be disclosed within six hours of discovery. In fact, there is so much confusion over the eight-page directive, that Cert-In has issued a 28-page FAQ. “The directives are very broad and there’s not much clarity on how this will be applicable due to the wordings of the directive. Just the fact that the government had to issue a long FAQs note along with the directive shows the complexity of the situation. You can’t have FAQs to clarify statutory provisions,” Sugathan said. According to Surfshark’s data, since 2004, 254.9 million accounts belonging to users from India have been breached. “To put that in perspective, 18 out of every 100 Indians had their personal contact details breached,” according to a note from Surfshark. “Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” the note added. Related content news Businesses lack AI strategy despite employee interest — Microsoft survey Microsoft’s fourth annual Work Trend Index survey shows that workers are coming to grips with generative AI tools, but leaders aren’t convinced they have a proper deployment strategy in place. By Matthew Finnegan May 08, 2024 6 mins Microsoft Generative AI IT Skills news analysis Apple Silicon sets scene for a new AI ecosystem With its new iPads, Apple presses home the message that Apple Silicon is built for AI. By Jonny Evans May 08, 2024 12 mins Apple Generative AI iPad news The CHIPS Act money: A timeline of grants to chipmakers The Department of Commerce is divvying up $52 billion in the hopes of spurring on-shore chip manufacturing in the US. Here's what's been allocated and where the money is going. By Lucas Mearian May 08, 2024 5 mins CPUs and Processors Government Manufacturing Industry reviews Arc browser for Windows — better than Chrome? This might just be the best web browser for power users. But you’ll have to rewire your brain. By Chris Hoffman May 08, 2024 13 mins Windows Browsers Productivity Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe