The Indian Computer Emergency Response Team (CERT-In) has given virtual private network (VPN) providers another three months to comply with its new rules.
The new rules that were supposed to be effective from June 27 require VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years.
The April 28 directive from India's cyber agency sought additional compliance requirements for all VPN providers whose users are in the country.
Now, the new CERT-In direction will become effective on September 25.
The agency has directed data centres, virtual private server (VPS) providers, cloud service providers, and VPN providers that this specific aspect of the direction will become effective on September 25.
"The extension of timelines for implementation of these Cyber Security Directions of 28th April, 2022 have been urged in respect of Micro, Small and Medium Enterprises (MSMEs) for providing reasonable time for generating capacity building required for the implementation of these Directions," said the CERT-In.
Nearly 22 cybersecurity experts on Monday sent a joint letter to CERT-In and the Ministry of Electronics and IT, asking them to defer implementation of the contentious new Directions issued in April.
"The Directions will have a negative impact on cybersecurity and privacy, and public consultation must be undertaken to ensure that the views of all stakeholders, including subject matter experts, are taken into account," the letter read.
"Unchecked surveillance is a pressing concern in India -- one that is severely aggravated by the new data retention mandate in CERT-In's Directions, which impacts millions of people connected in India," said Raman Jit Singh Chima, Asia Pacific Policy Director and Senior International Counsel at Access Now, a non-profit.
"Requiring service providers, including VPN providers, to log information that they may otherwise not collect, for five years or more, violates the right to privacy protected by the Indian Constitution," he added.
Leading VPN service providers NordVPN, Surfshark and ExpressVPN have removed their servers from India over the new directions.
CERT-In later issued a set of clarifications, stating that the rules of maintaining customer logs will not apply to enterprise and corporate VPNs.