[The Viewpoint] Cyber Security Directions, 2022: Boon or bane?

Many VPN service providers are not happy with the Directions as they believe that they will impact the basic essence of anonymity and privacy of their users.
Neelkamal Chaudhary
Neelkamal Chaudhary

With India’s explosion into the digital world, the laws of the country have had to keep pace in order to protect users of the internet. On the one hand, through new avenues and innovation, this helps bolster the economy, but also comes with the threat of online safety and cyber crime.

The Cyber Security Directions were issued on April 28, 2022 under sub-section (6) of Section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber security incidents. The Directions, proposed to be effective from June 2022, are one of the branches of the overall cyber security architecture that is being used by the Government of India to counter emerging threats.

A “cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes in data and information without authorization.

Understanding VPN

VPN stands for “virtual private network”. It is a service that protects your internet connection and privacy online. VPN creates an encrypted tunnel for your data, protects your online identity by hiding your IP address, and allows you to use public Wi-Fi hotspots safely.

While many corporates use VPN services for securely accessing their company networks and protecting their data, these services are also used by cyber criminals to hide their internet footprint.

Applicability of the Directions

The Indian Computer Emergency Response Team (CERT-In) is an organization that is tasked with ensuring safety of the internet in India. It has proposed that VPN service provider companies in India should maintain records of names, addresses, contact numbers, subscription period, email addresses, IP addresses and client’s reasons for using these services for a period of 5 years. Further, any cyber security incidents are to be reported to CERT-In within 6 hours of the company becoming aware of the same. Failure to comply will result in punitive action against the VPN service provider.

CERT-In has clarified that these rules are applicable to service providers, intermediaries, data centres, bodies corporate, Virtual Private Server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organizations. Individual citizens are not covered by these Directions.

Impact of the Directions

According to the Government of India, the idea behind these Directions is timely reporting of cyber security incidents to CERT-In. Once this happens, CERT-In can analyse the necessary information, which will help enhance cyber security situational awareness, reduce cyber security attacks and bring about coordinated response measures, ultimately ensuring protection of data. Further, as per the Government of India, these Directions do not violate the right to informational privacy of individuals.

However, many VPN service providers are not happy with the Directions as they believe that they will impact the basic essence of anonymity and privacy of their users. NordVPN, one of the biggest providers, is reportedly thinking of pulling out of the country, while Proton VPN has expressed disapproval in a tweet, stating that India’s new VPN regulations are “an assault on privacy, and that it will continue maintaining its no-log policy”.

Neelkamal Chaudhary is an Associate Partner at Universal Legal.

Bar and Bench - Indian Legal news