VPN provider Private Internet Access (PIA) announced on Monday that it will be removing its servers located in India due to a new data collection directive (called No. 20(3)/2022-CERT-In) enacted by the Indian government.
This directive, which goes into effect on June 27, forces data-handling companies (like VPNs) to collect users’ personal information. Additionally, it requires customers’ data to be stored and shared for up to 5 years (if needed), even after they stop using the service.
The new ruling impacts VPNs directly, since any online service with physical infrastructure in India has to comply with the new legislation. While PIA will no longer have servers located in India, the VPN provider said that users still will have access to Indian IP addresses using its geo-located servers.
“The No. 20(3)/2022-CERT-In rule severely undermines the online privacy of Indian residents,” said PIA in its announcement. “Whether you live in India or are traveling through the country, your online behavior will be linked to your personally identifiable information (PII).”
Under this directive, companies like VPNs, data centers, and cryptocurrency markets would have to store personally identifiable information (PII), including full names, IP addresses, online habits and search history, contact numbers, and date started (and stopped) using a service.
Companies in India will also face severe consequences as a result of this directive. CERT-In now requires companies to report data breaches within six hours of discovery, with failures to comply resulting in significant fines. Instead of taking the time needed to patch vulnerabilities and manage attacks within the company, employees will first be required to fill out long forms to report a breach to the Indian government.
On June 3, ExpressVPN also announced its decision to remove Indian-based VPN servers in response to the data collection directive.