Netherlands-based virtual private network (VPN) provider Surfshark said that it is exploring the possibility of legally challenging the recent directions by Indian Computer Emergency Response Team (CERT-In), one of which mandates that VPN service providers have to maintain customer logs for a period of five years.
While responding to a query by Moneycontrol, Surfshark's head of legal Gytis Malinauskas said, "Currently, we are investigating the new regulation with Indian lawyers before deciding on the best course of action. Surfshark is considering all the options, including the possibility of challenging the validity of this new regulation."
Malinauskas said that Surfshark remains committed to providing no-logs services to its users, including those in India. This implies that it does not collect or share customer browsing data or any user information. "As the new regulation goes against the nature of the VPNs industry – which seeks to protect users’ privacy – we remain committed to providing no-logs services to our users, including those living in India," he said.
While terming the CERT-In directions as radical, he said,
"Overall, making such a radical action that highly impacts the privacy of millions of Indians without robust data protection mechanisms will most likely turn out to be counterproductive and strongly damage the sector’s growth in the country."
The development comes a day after the government warned service providers that they are free to terminate their businesses in the country if they are non-compliant to new rules. In a press conference on May 18, Rajeev Chandrasekhar, the Minister of State for Information Technology, stated that non-compliant providers would "have to pull out".
Meanwhile, other VPN service providers in the Indian market have reiterated their commitment to privacy and termed directions issued by CERT-In as "unimplementable. Yegor Sak, founder of Canada-based VPN firm Windscribe, said, "Our service is free and available to anyone. We will not compromise the privacy of all our users to comply with these ridiculous requirements originating from a single country."
On May 18, CERT-In issued a clarification on its April 28 directions where it mandated that VPN service providers and cloud service providers have to maintain customer logs such as their names and IP addresses for a period of five years.
In its clarification, CERT-In stated that corporate and enterprise VPNs were exempted from the directions, and that it was only applicable to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
