MoS IT: Non-complying VPNs will have to pull out, adequate time given for compliance
The government has given more than adequate time for virtual private networks or VPNs, data centres, cloud service providers or enterprises, to comply with the new directions on reporting of cyber security breaches, said Rajeev Chandrasekhar, minister of state for information technology at the release of frequently asked questions for cybersecurity incidents issued last month.
The minister said that the directions for VPNs or data centres to report security breaches within six hours of the incident coming to light, was more relaxed than global standards, where in some countries the mandate is to report immediately. He added that compliance within 60 days, of keeping log records for five years, was mandatory, and those unwilling to comply may well have to rethink their India business plans.
“The government has very clearly said repeatedly on all issues relating to rulemaking, there is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who uses VPNs to do business in India and you don’t want to comply, then if you want to pull out, frankly, that is the only opportunity you have to pull out,” the minister said.
He further noted that the burden of incremental compliance was little.
The minister’s comments followed directions issued by Indian Computer Emergency Response Team (CERT-In) dated April 28 regarding cybersecurity, data centres, VPN providers and crypto exchanges, which mandated that VPN service providers will be required to maintain logs including names of customers, their IP addresses and other details, for five years, beginning June 2022. Several VPN providers had objected to the directions raising concerns around privacy of customers using their services.
In a set FAQs on the directions issued on Wednesday, the government has clarified that non-compliance will attract penalties under a section of the IT Act. It also clarified that corporate or enterprise VPNs do not fall under the category of “VPN service providers” and that it would be applicable to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers.”
“This essentially indicates that corporate VPN service providers may not be required to enable logs or maintain customer data as prescribed under the directions,” said Rishi Anand, partner at DSK Legal.
The guidelines further noted that service providers, intermediaries, data centres and body corporate offering services to the users in the country shall designate a point of contact to liaise with CERT-In, in case they do not have a physical presence in India.
The government has issued the directions as its present set of rules governing cybersecurity which were issued in 2011, did not include mandatory reporting, and therefore needed an upgrade.
“The size shape scale of the Indian internet was a dramatically different from 80 crore Indians online today. Almost every enterprise today is connected on the internet and is heavily digitised and therefore the risks that are represented in 2022 are materially different from the risks of 2011. Therefore, we think mandatory reporting is absolutely important for us as government and industry to keep the Internet open and safe and trusted,” Chandrasekhar said.
The minister added that a VPN provider, data centre operator, cloud provider or enterprise is obliged to know the users of the infrastructure and if there is a detected cyber breach from one of the users, it is mandated to produce the data required for taking action. He also noted that if the entities do not comply, the government will have to take appropriate action, but did not specify the steps that the government will take.
The minister added that the directions were separate from the data protection law basically creates a legislative framework for the informational privacy of the individual.
“This is not some exclusionary provision, a large number of rule-making you will see over the next coming months that will be made that addresses the openness, safety, trust and accountability issues of the internet, and that will continue,” he said.