Cyber Law Due Diligence For VPN Service Providers In India

VPN service providers in India are in a tight spot as they have to face legal consequences one way or the other. If they comply with the e-surveillance demands of Indian govt, they would be liable for prosecution for violating privacy, data protection and other rights of Indians.

If they do not comply with such e-surveillance demands of Indian govt, they would be prosecuted by the govt for violating some arbitrary and unconstitutional rules framed by Indian govt. We do not have a constitutionally valid e-surveillance policy of India as on date and there is no intention of either Congress or BJP to do so as well in future.

From 26-09-2022, VPN service providers are required to comply with the data and e-surveillance related provisions of cyber law of India and rules made under it. That carries a host of complicated techno legal regulatory compliance that are not easy to manage. Add the complexities of illegalities and conflict of laws to this situation and VPN service providers in India are in serious trouble.

Many VPN service providers have already pulled physical servers from India as they consider the mandate to collect customer data violative of their privacy and data protection rights. This is a correct assessment to a great extent if the rules are implemented blindly. What VPN service providers in India need is a techno legal cyber law due diligence that can maintain a balance between rights of their customers and demands of Indian authorities.

The best option available to them is to use the online dispute resolution (ODR) portal of Perry4Law Organisation (P4LO) and PTLB. The ODR Portal of India is exclusive techno legal ODR portal of the world that is helping global stakeholders to manage global regulatory and legal compliance, including those from India. This way they would be insulated from both customer and govt side litigation and legal claims as all issues would be filtered through the this ODR Portal.

CERT-In has mandated VPN service providers to collect and maintain customer information including names, email addresses, and IP addresses for at least five years, even after they have canceled their subscription or account. Besides privacy violation, it carries additional burden to ensure data security and cyber security of such data and customers. The VPN and similar businesses would cease to become profitable in India now onwards unless they are managed through a techno legal cyber law due diligence.

Both VPN service providers and their customers can also lodge a complaint or grievance at the ODR Portal of India for violation of their privacy, data security and cyber security. We would investigate the same and take up the matter with concerned authorities or courts.

Any demand for data or details from the VPN service providers of India can be shared with us for techno legal analysis and we would provide a comprehensive and holistic solution for all such demands on a case to case basis.

However, this entire situation has created a difficult situation for VPN service provider of India for another issue. Now customers would not trust them anymore for their private, confidential and sensitive information, data, documents, etc. They have legitimate fears that such VPN service providers can sell them anytime to the govt at the drop of a hat. They would not resist the illegal and unconstitutional e-surveillance demands of Indian authorities.

To be on the safer side, Indian customers must check the terms and conditions, privacy policy, etc of all VPN service providers of India very carefully. If they do not carry strong privacy and data protection mechanisms, just avoid such VPN service providers altogether. The best option is to incorporate the ODR Clause of ODR Portal Of India and consult it whenever a demand is raised by any Indian authority.

It must also be kept in mind that proposed Indian Telecommunication Act, 2022 would further make the lives of VPN service providers and their customers more miserable. This proposed law is not only creating severe conflict of laws in cyberspace but it is also enforcing e-surveillance, eavesdropping and spying capabilities of Indian govt and its agencies in an unrestricted and unreasonable manner.

While many VPN service providers have already pulled their servers from India yet other VPN companies are looking for solutions that have minimal impact on their users while also maintaining their privacy. As stated above, there is just one solution and that runs through the ODR India Portal of P4LO.