The new Indian data regulation law requires VPN providers to keep excessive customer data for five years. In response, ExpressVPN and Surfshark are closing their Indian servers.
The new Indian VPN rule will come into effect on 27 June 2022 and will require VPN providers to store users’ real names, assigned IP addresses, and usage patterns, among other identifying data.
The new law was drafted to help fight cybercrime, yet VPN providers claim it is incompatible with the purpose of VPNs, which is to keep users’ activity private.
Last week, ExpressVPN announced its decision to pull out of India, saying the law is overreaching and might open up the window for abuse.
“We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” the company said.
On Tuesday, another major VPN provider, Surfshark, said it would also shut down its servers in India.
“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company,” the company said.
Its servers will be shut down before 27 June 2022. After the new law comes into power, it will introduce virtual Indian servers physically located in Singapore and London.
Surfshark also noted that VPN providers leaving India would harm the “burgeoning” IT sector. Since 2002, almost 255 million Indian user accounts have been leaked.
“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” Surfshark said.