The Indian government directive mandates VPN providers to store information about their customers for up to five years. Credit: Putilich / Getty Images VPN provider Surfshark became the latest company to pull its servers from India this week, in response to government attempts to regulate encrypted web traffic. The new directive by India’s top cybersecurity agency, the Indian Computer Emergency Response Team (Cert-In), requires VPN, Virtual Private Server (VPS) and cloud service providers to store customers’ names, email addresses, IP addresses, know-your-customer records, and financial transactions for a period of five years. SurfShark announced on Wednesday in a post titled “Surfshark shuts down servers in India in response to data law,” that it “proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company.” SurfShark is not the first VPN provider to pull its servers from the country following the directive. ExpressVPN also decided to take the same step just last week, and NordVPN has also warned that it will be removing physical servers if the directives are not reversed. New VPN regulations “lack clarity” Like many businesses around the world, Indian companies have increased their reliance on VPNs since the COVID-19 pandemic forced many employees to work from home. VPN adoption grew to allow employees to access sensitive data remotely, even as companies started adopting other secure means to allow remote access such as Zero Trust Network Access and Smart DNS solutions. A report from Atlas VPN highlights that the VPN penetration rate in India moved from 3% in 2020 to over 25% in first half of 2021, growing at the fastest rate globally with a staggering 348.7 million installs, representing a growth of 671% over 2020. “This will have a major impact on Indian businesses since these provisions could make it difficult for them to support employees working remotely, which has been the case since the COVID pandemic,” Prasanth Sugathan, a partner at law firm Sugathan and Associates said. The directive issued by Cert-In on April 28 also states that cybersecurity breaches must be disclosed within six hours of discovery. In fact, there is so much confusion over the eight-page directive, that Cert-In has issued a 28-page FAQ. “The directives are very broad and there’s not much clarity on how this will be applicable due to the wordings of the directive. Just the fact that the government had to issue a long FAQs note along with the directive shows the complexity of the situation. You can’t have FAQs to clarify statutory provisions,” Sugathan said. According to Surfshark’s data, since 2004, 254.9 million accounts belonging to users from India have been breached. “To put that in perspective, 18 out of every 100 Indians had their personal contact details breached,” according to a note from Surfshark. “Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” the note added. Related content feature 8 AI-powered apps that'll actually save you time Most AI apps are buzzword-chasing hype-mongers. These eight off-the-beaten-path supertools are rare exceptions. By JR Raphael Jul 01, 2024 15 mins Generative AI Productivity Software feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 26244 for the Canary Channel and Build 22635.3858 for the Beta Channel, both released on June 28, 2024. By Preston Gralla Jul 01, 2024 272 mins Small and Medium Business Microsoft Windows 11 news analysis EU commissioner slams Apple Intelligence delay Margrethe Vestager, Europe's chief gatekeeper, takes a shot at Apple's decision to delay rolling out the company's AI. By Jonny Evans Jun 28, 2024 7 mins Regulation Apple Generative AI how-to Download our unified communications as a service (UCaaS) enterprise buyer’s guide Does your phone system date back to the last century? If so, you’re missing out on new technologies that can increase productivity and support a more distributed workforce. That’s where unified communications as a service, or UCaaS, comes By Andy Patrizio Jun 28, 2024 1 min Unified Communications Enterprise Buyer’s Guides Cloud Computing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe