Government Postpones Compliance Deadline for VPN Providers to Store, Share User Data to September 25

The Indian Computer Emergency Response Team (CERT-In) appointed by the Ministry of Electronics and Information Technology has extended the implementation date of its April 28 order in which it asked virtual private network (VPN) providers to register and preserve user information for at least five years. Additionally, the compliance deadline for all government and private agencies to mandatorily report cybersecurity breach incidents to it within six hours of noticing them has also been pushed forward. The order, which was to come into force on June 28, will now become effective on September 25, 2022.

In a new directive issued on Monday, CERT-In said that it has taken into consideration the extension of timelines sought by VPN service providers as well as Micro, Small and Medium Enterprises (MSMEs) for enforcement of Cyber Security Directions of April 28, 2022 issued under sub-section (6) of section 70B of the Information Technology Act, 2000.

Data centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers sought more time for validation of subscribers/customers. MSMEs sought more time for generating capacity building required for implementation of the cybersecurity directions. As mentioned, the compliance date for both these cybersecurity directives has been postponed to September 25, 2022.

In the directive issued in April, VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — were ordered to register and maintain accurate information of their services for five years or longer “as mandated by the law after any cancellation or the registration as the case may be”.

The user information mentioned includes “the valid names of subscribers, period of subscribing to the service, IPs allotted to and being used, email address and IP address as well as accurate time recorded during the registration, purpose of subscribing, validated address and contact numbers, and ownership pattern of the subscribers signing into the service.”

Furthermore, it was also directed that the service providers will have to present the information as called for by CERT-In — failing of which (or non-compliance with the order) may invite “punitive action” under sub-section (7) of the section 70B of the IT Act, 2000 and other laws as applicable.

CERT-In had also asked all government and private agencies, including Internet service providers, social media platforms, and data centres, to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.