PIA Is Leaving India Due to Data Collection Directive

Posted on Jun 13, 2022 by Julia Olech

The Indian government has announced a new data collection directive, No. 20(3)/2022-CERT-In, which goes into effect on June 27, 2022. The legislation forces data-handling companies, including VPNs, to collect customers’ personal information. It also requires your data to be stored and shared (if needed) for up to five years – even if you stop using the service. 

This new ruling affects VPNs directly, since any online service with physical infrastructure in India has to comply with the new legislation. To comply with the new legislation while also being able to maintain our customers’ privacy, Private Internet Access will be removing its VPN servers located in India. That said, our clients will still have access to Indian IP addresses using our geo-located servers.

Why Is the New Directive Bad News for Indian Residents?

The No. 20(3)/2022-CERT-In rule severely undermines the online privacy of Indian residents. Whether you live in India or are traveling through the country, your online behavior will be linked to your personally identifiable information (PII). 

The directive is the first step to tougher online censorship, especially since CERT-In specifies companies must now report “unauthorized access to social media accounts”.

Under the new directive, companies like VPNs, data centers, and cryptocurrency markets have to store your (PII), such as:

  • 🚩 Your full name.
  • 🚩 IP addresses.
  • 🚩 Online habits and search history.
  • 🚩 Contact numbers.
  • 🚩 Dates you started (and stopped) using a service.

CERT-In claims the law was passed as a way to crack down on increasing cybercrime rates. However, it’s not entirely clear how collecting your data wouldn’t do the exact opposite. The more sensitive data companies store on their servers, the more files can be leaked in data breaches.

Companies in India will also face severe repercussions. CERT-In now requires them to report data breaches within six hours of discovery, and failure to comply results in hefty fines. This takes away from the time needed to patch up vulnerabilities and manage the attack within the company. Instead, employees will first have to fill in long forms to report a breach to the government. 

This attack on internet freedom can only mean one thing – a widespread VPN adoption. Even though many VPNs are now removing their physical servers from India, some, like Private Internet Access, will continue to serve Indian residents. That way you can still use a VPN to access your social media accounts, news outlets, streaming services, and more without the government spying on you.

Does the New Directive Mean VPNs Aren’t Legal in India?

Black and white mage showing a sign that says "Privacy Please"
The new legislation attacks online privacy, but you can take it back

No, VPNs are still legal in India and you can use them to access various platforms. That said, we advise you to avoid services with physical servers in India. Once the new data collection legislation sets in, they’ll have to log and store your data, not to mention hand it over to the authorities if asked.

The No. 20(3)/2022-CERT-In directive affects you even if you’re temporarily using the internet in India during your travels. That’s why I strongly encourage you to have your VPN enabled at all times when you’re in the country. Otherwise your PII, like name, IP address, and location, can be stored for up to 5 years, even if you’re just in the country for a few hours due to a connecting flight.

How Does India’s New User Data Directive Affect Private Internet Access?

We at Private Internet Access made a pledge to protect our customers no matter where they are. India’s new legislation doesn’t change that. We remain committed to the privacy of all our clients, and plan to support Indian citizens who oppose this unfair violation of their online freedom. 

The No. 20(3)/2022-CERT-In directive endangers the digital safety of PIA clients, Indian residents and travelers to the region. It’s not the first time Private Internet Access takes a stand against oppressive laws, and it likely won’t be the last. We do not operate servers in jurisdictions with anti-privacy regulations that prevent us from enforcing our strict no-logging policy. 

As such, we made some changes to our server network: we have no choice but to remove our physical servers from India. Continuing their upkeep would force us to comply with the new law, putting our customers’ anonymity at risk. Indian citizens and travelers can still use PIA’s worldwide network of physical servers without a problem.

Our physical servers in India will be replaced by virtual locations. PIA customers can use our new geo-located Servers in Singapore to get an Indian IP. Connecting to them still changes your virtual location to India and makes you anonymous online, but it does not force us to comply with India’s new data collection directive.

Should I Still Use a VPN in India?

Black and white image of a sign saying "Big data is watching you"
Is the new directive the end of privacy as we know it?

Yes, because a good VPN can still protect your privacy in India. However, if the service you’re using hasn’t removed its physical servers from the country, run as far away as possible. Once the new ruling comes into effect, VPNs with physical servers in India become a threat to your anonymity and may put you at a higher risk of data breach. 

Remember that VPNs that are physically present in a country have to comply with the local law, even if they claim to be privacy-conscious. As long as a party operates physical connections in India, their no-logs policies, tough encryption, and even dedicated IP addresses take a backseat. 

We refuse to give up on protecting your anonymity, which is why we’re switching to virtual locations in India. Physically located in Singapore, these connections give you an Indian IP address without the need to collect and store your personal details. That way you can use PIA in India without compromising your anonymity

Word of Caution on Using Free VPNs in India

Theoretically speaking, you can use a free VPN in India — but it’s very risky. Even without the data collection directive, some free VPNs collect and sell your details. With the new legislation in place, these services become even less privacy-conscious to avoid any legal repercussions.

To go around the new data requirements, VPNs can provide virtual locations with Indian IP addresses from outside the country. This is costly to run and maintain, so it’s unlikely you’ll find many of these servers among free VPNs. And if you do, you’ll probably have to pay through your nose for it to cover the extra cost. 

Get Private Internet Access to maintain your privacy in India. Our virtual locations are included in your subscription, so you pay nothing extra to stay anonymous in India. We also operate a strict No-Logs policy, so we never store any of your browsing history, DNS requests, or anything else.

FAQ

Does India require VPNs to collect user data?

Yes, the Indian government now requires VPNs to collect user data and store it for up to five years. That’s due to the No. 20(3)/2022-CERT-In data collection directive from India’s Computer Emergency Response Team (CERT-In). This legislation enforces extensive data collection, which means companies with physical infrastructure in the country have to log and keep your details for up to 5 years. 

We believe the No. 20(3)/2022-CERT-In ruling is a major threat to online freedom in India. Even though we’re moving our Indian servers out of the country, PIA continues to protect your privacy there. Our worldwide server network also contains new virtual locations equipped with Indian IP addresses.

What user data do Indian companies keep?

The No. 20(3)/2022-CERT-In directive requires companies to keep your personally identifiable information, including: full name, the time you started using the service, IP address, email address, what you use the service for, personal contact number, and unauthorized social media access.

Collecting and storing this information for any period of time increases the risk of it being leaked in a data breach. If that happens, bad actors could use your details in a variety of ways, like scams, fraud, and even identity theft. 

PIA can help you avoid data collection safely access Indian sites and services. If you have questions about how you can continue with our service despite the new directive, reach out to our customer support team. 

Are VPNs legal in India?

Yes, VPNs are legal in India — for now. The No. 20(3)/2022-CERT-In directive doesn’t ban them, but it interferes with their privacy policies if they have physical infrastructure in the country. Keep in mind that the new law doesn’t only affect VPNs. If any online service you’re using doesn’t switch to virtual locations, they will be forced to collect your data.

Private Internet Access does not mess around with your privacy, which is why we’re removing our physical servers from India. If we don’t have physical infrastructure there, we don’t have to comply with data collection directives. That’s why you can use PIA to stay anonymous in India even once the directive is enforced. 

Should I use a VPN in India?

Yes, because a VPN can still protect you from online threats and dangers — this includes malware, cybercrooks, fraudsters, and many other malicious actors who use unsecured connections to steal your personal data. 

However, the No. 20(3)/2022-CERT-In ruling means you need to be more mindful when choosing a VPN. Make sure to check the service has no physical servers in India.

Can I use a free VPN in India?

Even though you can use a free VPN in India, I need to warn you that it’s not a good idea. Some free VPNs actively collect your data anyway. To this, you can add the fact that the No. 20(3)/2022-CERT ruling forces all services in the country to compromise your online anonymity. Free VPNs could around the directive by moving their servers out of India and swapping them for virtual locations. However, it’s a costly and complex process. 

Instead of gambling with your privacy, I recommend you choose a VPN that can protect you in India. PIA has the strictest No-Logs policy and the new data collection directive doesn’t change that. Take PIA for a 30 day test drive with our money-back guarantee. That way you can truly learn about our strengths and how we can help you in India, worry-free.

Comments are closed.

2 Comments

  1. Wizulus

    Thank you for taking a stand, and explaining the danger of anyone collecting such information. I’m glad my subscription helps to support Indian citizens with virtual IP addresses, even though I live in the USA and have no need for an Indian IP address.

    2 years ago
    1. PIA Team

      Hi Wizulus! Thank you for your continued support. Even though we have virtual locations, these connections still offer real IP addresses – not virtual ones. This makes you seem like you’re physically located at a real address anywhere in the world.

      2 years ago