VPN service provider ExpressVPN on Thursday announced it will remove its servers from India, rejecting the Computer Emergency Response Team’s (CERT-In) new directions requiring all VPN providers to store user data for at least five years.
As per the directions — to come into effect on June 27, 2022 — companies will need to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data, ExpressVPN wrote in a blog post.
This makes British Virgin Islands-registered ExpressVPN one of the earliest major VPN service providers to withdraw its services from India following the new VPN rules.
Indian users will still be able access the company’s virtual VPN servers, which will instead be physically located in Singapore and the UK. The users will continue to get Indian IP addresses through this network.
“As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India,” the company said in its blog post.
“The new data law initiated by India’s Computer Emergency Response Team (CERT-In), intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.
The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” the company added.