Virtual Private Network (VPN) provider ExpressVPN on Thursday announced that it's removing Indian-based VPN servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In).
"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K."
The development comes as the CERT-In has enforced new controversial data retention requirements that are set to come into effect on June 27, 2022, and mandate VPN service providers to store subscribers' real names, contact details, and IP addresses assigned to them for at least five years.
The logged user data, CERT-In emphasized, will only be requested for the purposes of "cyber incident response, protective and preventive actions related to cyber incidents."
The agency has since clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to "general Internet subscribers/users."
"The new data law [...], intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users' online activity private," ExpressVPN said. "The law is also overreaching and so broad as to open up the window for potential abuse."
The rules, dubbed Cyber Security Directions, also mandate firms to report incidents of security lapses such as data breaches and ransomware attacks within six hours of noticing them.
The move has not only sparked privacy concerns, but has also been criticized as ambiguous and overly broad, pointing out a lack of clarity on the scope of incidents that come under purview of the upcoming directive.
"Such excessive requirements for collecting and handing over data will not just impact VPN service providers but VPN users as well, harming their individual liberty and privacy," the Internet Freedom Foundation said in a statement.
"In the absence of sufficient oversight and a data protection framework to protect against misuse, such requirements have the potential to enable mass surveillance."