VPN providers flee Indian market ahead of new data rules

VPN provider Surfshark became the latest company to pull its servers from India this week, in response to government attempts to regulate encrypted web traffic.

The new directive by India’s top cybersecurity agency, the Indian Computer Emergency Response Team (Cert-In), requires VPN, Virtual Private Server (VPS) and cloud service providers to store customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years.

SurfShark announced on Wednesday in a post titled “Surfshark shuts down servers in India in response to data law,” that it “proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company.”

SurfShark is not the first VPN provider to pull its servers from the country following the directive. ExpressVPN also decided to take the same step just last week, and NordVPN has also warned that it will be removing physical servers if the directives are not reversed.

New VPN regulations “lack clarity”

Like many businesses around the world, Indian companies have increased their reliance on VPNs since the COVID-19 pandemic forced many employees to work from home. VPN adoption grew to allow employees to access sensitive data remotely, even as companies started adopting other secure means to allow remote access such as Zero Trust Network Access and Smart DNS solutions.

A report from Atlas VPN highlights that the VPN penetration rate in India moved from 3% in 2020 to over 25% in first half of 2021, growing at the fastest rate globally with a staggering 348.7 million installs, representing a growth of 671% over 2020.

“This will have a major impact on Indian businesses since these provisions could make it difficult for them to support employees working remotely, which has been the case since the COVID pandemic,” Prasanth Sugathan, a partner at law firm Sugathan and Associates said.

The directive issued by Cert-In on April 28 also states that cybersecurity breaches must be disclosed within six hours of discovery. In fact, there is so much confusion over the eight-page directive, that Cert-In has issued a 28-page FAQ.

“The directives are very broad and there’s not much clarity on how this will be applicable due to the wordings of the directive. Just the fact that the government had to issue a long FAQs note along with the directive shows the complexity of the situation. You can’t have FAQs to clarify statutory provisions,” Sugathan said.

According to Surfshark’s data, since 2004, 254.9 million accounts belonging to users from India have been breached. “To put that in perspective, 18 out of every 100 Indians had their personal contact details breached,” according to a note from Surfshark.

“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” the note added.