The move comes two days after a second VPN firm, SurfShark, announced plans to remove its servers from India, following a directive that requires VPN firms to store customer data for five years. Credit: Olivier Le Moal / Getty Images India’s Ministry of Electronics and Information Technology (MeitY) is expected to meet VPN players along with tech policy groups, cyber security experts and legal experts, on Friday to review an earlier directive that requires VPN companies to store customer data for five years, and mandated companies in India to report a security breach within six hours. According to the Economic Times, which broke the story, the meeting could be chaired by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar. As of early Friday evening, government officials had not confirmed whether the meeting had taken place. Technology policy groups including The Dialogue, AccessNow, Internet Freedom Foundation, Software Freedom Law Center, India, and BSA India had earlier written to the minister about the directive, which is likely to make it difficult for VPN firms to operate in India but also create higher compliance pressure on enterprises in India. While an FAQ document issued alongside the directive, posted on the website of the Indian Computer Emergency Response Team (Cert-In), clarifies that the new rules would not have an impact on enterprise VPN services, there is no such mention in the actual directive itself. “The FAQs document is not legally binding. The FAQs also state that it is an ‘evolving document’. The fact that the document is not legally binding means neither BSA members nor any other organization can effectively rely on the FAQs to ensure compliance with the Directions. This could hurt their commercial operations, investments, and R&D activities,” the BSA said in a letter dated May 30 titled “BSA concerns on the CERT-In Directions on Information Security Practices”. Companies seek clarity on VPN directive BSA India is also seeking clarity on what specific security incidents are required to be reported within six hours and has requested the government to extend the reporting time to 72 hours after discovery. “Based on our experience and research, the initial 24-72 hours after a potential incident is discovered involves uncertainty and fast-paced investigative, containment, and remediation work. This is a critical period, since there is a consistent need to react in unexpected ways to new information as it is discovered,” the letter said. At least two VPN players, including SurfShark and ExpressVPN, have already announced they’d be removing their servers from India in response to the directive issued on April 28, effective toward the end of this month. NordVPN has also warned that it will be removing physical servers if the directives are not reversed. “It’s puzzling that a Govt that claims to be a cheerleader of the tech ecosystem regularly comes up with policies that are reminiscent of the license raj. Nowhere in the world CERTs behave like rule making bodies to rob citizens of their privacy and drive businesses out. A time limit of 6hours and expectations of KYC mechanisms does how control at any cost is the north star here,” said Mishi Choudhary, technology lawyer and online civil liberties activist. Choudhary was also the founder of the Software Freedom Law Center, India, which has been petitioning against the new rules. The directive is expected to impact both consumers as well as enterprises. While privacy advocates fear that the new directive could be an attack on privacy by forcing VPN companies to store information such as customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years, the rules could also add to compliance pressures on enterprises who will now be required to report any cyber security breach to Cert-In within six hours. Related content feature 8 AI-powered apps that'll actually save you time Most AI apps are buzzword-chasing hype-mongers. These eight off-the-beaten-path supertools are rare exceptions. By JR Raphael Jul 01, 2024 15 mins Generative AI Productivity Software feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 26244 for the Canary Channel and Build 22635.3858 for the Beta Channel, both released on June 28, 2024. By Preston Gralla Jul 01, 2024 272 mins Small and Medium Business Microsoft Windows 11 news analysis EU commissioner slams Apple Intelligence delay Margrethe Vestager, Europe's chief gatekeeper, takes a shot at Apple's decision to delay rolling out the company's AI. By Jonny Evans Jun 28, 2024 7 mins Regulation Apple Generative AI how-to Download our unified communications as a service (UCaaS) enterprise buyer’s guide Does your phone system date back to the last century? If so, you’re missing out on new technologies that can increase productivity and support a more distributed workforce. That’s where unified communications as a service, or UCaaS, comes By Andy Patrizio Jun 28, 2024 1 min Unified Communications Enterprise Buyer’s Guides Cloud Computing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe