After ExpressVPN and Surfshark, Panama-based NordVPN announced on Tuesday that it will remove its servers from India on June, 26 after the government asked all VPN service providers to store user data for five years.
When contacted, NordVPN’s spokesperson said, “NordVPN has made the decision to remove all its servers from India. The servers will be removed on June 26, 2022.”
The spokesperson added, “Recently, India’s Computer Emergency Response Team (CERT-in) ordered internet infrastructure providers, including VPN services operating in India, to collect their customer data, store it for five or more years, and hand it over to the government if requested. That means that a VPN company with servers in India may no longer be able to guarantee privacy for its users. In light of this, the decision was made.”
NordVPN further emphasised that “we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards. Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India.”
NordVPN has servers in Mumbai and Chennai. After CERT-in’s April 29 directive, Nord was the first to announce that it is considering removing its servers from India, a practice that it had previously deployed in Russia.
In the new cybersecurity norms issued in April, CERT-in had asked VPN service providers, along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. Entities are also required to report cybersecurity incidents to CERT-In within six hours of becoming or being made aware of them. It had also clarified that these directions would not apply to enterprise and corporate VPNs.
Later, the Ministry of Electronics and Information and Technology also noted that they might consider relaxing these rules for MSMEs and startups as well.
However, the government has warned VPN companies that are catering for the general public are free to leave India if they do not adhere to CERT-in’s directives. Experts note however that Meity’s diktat is, in fact, an infringement of privacy for the general public, particularly for the opponents of the government’s agenda, including activists, journalists etc.