The Computer Emergency Response Team (CERT-In) has extended the deadline for the new cyber security directives that mandate virtual private network providers to store customer data for up to 5 years, giving them & micro, small & medium enterprises (MSMEs) time until Sept 25 to implement the rules.
The rules, issued on April 28, were slated to kick into effect on June 26, 60 days after they were issued. In an order issued on June 27, CERT noted that MSME sought “reasonable time for generating capacity building required for implementation of these Directions”.
CERT in its notification said, “Also, additional time has been sought as well for implementation of mechanism for validation of subscribers/customers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers".
“Requirement relating to the aspects of registration & maintenance of validated names of subscribers/customers hiring the services & validated address & contact numbers by Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers & Virtual Private Network Service (VPN Service) providers…will become effective on 25th September, 2022,” it added.
Companies offering VPN or cloud services in India are required to collect, as well as maintain, extensive & “accurate” data of their consumers for 5 years under the Union Ministry of Electronics & Information Technology’s (MeitY) cybersecurity policy will be held liable if they don't store the data as directed by the Govt, an official familiar with the matter said on Monday.
The official added that while there is no mandatory need to inform the ministry that they are complying with the directives if the information regarding a particular case is sought by the Govt that the company fails to do so, it may face charges.
Union Minister for Electronics & Information Technology Rajeev Chandrasekhar earlier in June said that the companies must comply with the laws of the land or they can exit the Indian market. Defending the rules, the government said that the information will only be sought on a case-to-case basis, therefore not violating citizens’ right to privacy.
ExpressVPN, one of the leading cloud service providers, has already announced that it is shutting its servers in India, becoming perhaps the first virtual private network (VPN) services provider to pare back operations in the country after the government’s cybersecurity agency CERT-In issued directives that require additional compliances.
The directive has been controversial & tech companies & experts have said it opens avenues for misuse by mandating VPN service providers to maintain detailed logs of their customers.
(Only the headline and picture of this report may have been reworked by the LatestLaws staff; the rest of the content is auto-generated from a syndicated feed.)
Source Link
Picture Source : https://www.coe.int/documents/8475493/116001245/2088_64_Pic/e35f393c-2eaf-b6b5-c266-890011896c11
