ExpressVPN has pulled its servers from India following the government’s new data collection law ordering all VPN providers to log and store user information for a minimum of five years.
The new government requirement is set to come into effect on June 27, 2022, and has other leading VPN providers considering shutting down their operations in India as well.
ExpressVPN Rejects Data Demands, Yanks Servers in India
ExpressVPN is the first major company to remove its Indian-based servers over the government data logging order. The new law will require VPN companies to log user names, IP addresses, emails and contact numbers, addresses, and login information, among other data.
As a strict no-logs VPN, ExpressVPN said it has to adapt to the ever-changing privacy and security landscapes where it operates.
“As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India,” ExpressVPN said in a blog post on Tuesday. “The law is also overreaching and so broad as to open up the window for potential abuse.”
ExpressVPN said that customers will still be able to take on Indian IP addresses, though servers will be relocated to Singapore and the UK. Since those IP addresses will be virtual server locations, users must use the “India (via UK),” or “India (via Singapore)” options.
Are Major VPN Providers Exiting India?
A NordVPN spokesperson told the Thomson Reuters Foundation that the company welcomes India’s move towards better national cybersecurity, however, they should consider extending the debate and discussion period on the data collection and storage requirement. Difficult compliance measures would mean considering removing their “presence from India,” NordVPN said.
In light of the new laws, major VPN provider Surfshark also said it wouldn’t be able to comply with India’s stringent new law. Surfshark also operates under a “strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information,” Gytis Malinauskas, Surfshark’s legal head told Reuters.
Meanwhile, ProtonVPN said in a tweet that the new data laws “are an assault on privacy,” and that this threatens to force surveillance upon citizens. ProtonVPN, however, has not announced any immediate plans to exit India yet.
VPN Services Must Retain Data
While India’s looming data directive is meant to improve India’s national cybersecurity, many critics claim that it compromises user privacy.
The new data law’s official legal document confirms that personally identifiable information (PII) about users, among other information, must be logged and stored for years.
The legal document states that “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers,” must register and maintain — for at least 5 years — the names of subscribers and customers, IP addresses being used, email addresses, addresses, and contact numbers.
Since many VPN operators adhere to no-logging policies and offer anonymity, and advanced security and encryption protocols, companies are finding themselves at odds with the directive.
India’s Cyberspace Clampdown
Several nations have employed strict cybersecurity legislation overhauls due to the threat of cybercrime that skyrocketed during the pandemic, as well as ongoing international cyber threats stemming from the Russia-Ukraine crisis.
According to Reuters’ analysis, demand for online anonymity and privacy awareness has spiked in India “in recent years as the government tightened its grip here on the internet to curb dissent,” while more people also transferred to remote work.
This was reflected in the fact that VPN use in India jumped by 671 % in 2021. In November 2020, India’s government blocked 43 mobile apps, also pointing at an abrupt change in the nation’s attitude towards cyberspace.