NordVPN, one of the most popular VPN providers, is the latest to confirm that it will be removing its servers in India ahead of the nation enacting new strict guidelines later this month.
The Lithuania-based firm, which counts General Catalyst and Novator among its backers and is valued at $1.6 billion, said on Tuesday that it doesn’t maintain any logs of its customers’ data, strings of information that New Delhi will soon require VPN providers to share.
“Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN, told TechCrunch.
“Our Indian servers will remain until 26 June 2022. In order to ensure that our users are aware of this decision, we will send notifications with the full information via the NordVPN app starting 20 June. As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies. It is hard to imagine that all, especially small and medium enterprises, will have the proper means to ensure the security of such data,” she added.
The Indian Computer Emergency Response Team, the body appointed by the government to protect India’s information infrastructure, unveiled cybersecurity guidelines in late April that will require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” to store customers’ names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.
The new rules go into effect June 27.
NordVPN’s decision follows similar directions taken by ExpressVPN and SurfShark, both of which have removed servers in the country. It’s unclear how popular VPN services are in India, but on their sites the aforementioned firms say they are used by millions of users worldwide.
ProtonVPN, another popular VPN provider, has also said that it is committed to keeping its “no-logs policy.” Some VPN providers, including ExpressVPN, have said that they will continue to provide “virtual server locations” to Indian customers, but according to the new rules, such a bypass might still be in violation of the new guidelines.
NordVPN’s Tyrylyte told TechCrunch that the firm believes that it is “going to find a way to meet the requirements of all of our customers, regardless of their location.”
Lawmakers in India have made it clear that they have no intentions to relax the new rules.
Rajeev Chandrasekhar, the junior IT minister of India, said in a press conference last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country. The government, he said, will not be holding any public consultation on these rules.
The new rules also mandate firms to report incidents of security lapses such as data breaches within six hours of noticing such cases. Following pushback from advocacy groups, Chandrasekhar said last month that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that he said had stricter requirements.
“If you look at precedence all around the world — and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allow us to understand the larger force behind it — reporting accurately, on time, and mandatorily is an absolute essential part of the ability of CERT and the government to ensure that the internet is always safe,” he said.