New directives for VPN service providers and cryptocurrency exchanges would require them to collect critical private information as well as customer ownership patterns.

India’s Computer Emergency Response Team (CERT-in), which reports to the Ministry of Electronics and Information Technology, issued a new directive on Thursday, forcing cryptocurrency exchanges, virtual private network (VPN) providers ) and data centers to store a wide range of user data for up to five years.

Under the newly issued directive, crypto exchanges operating in India will be required to store customer names, ownership patterns, contact information, and various other data.

CERT-in Directives

Cryptocurrency exchanges and VPN service providers are also required to report any cyber incident within six hours of its occurrence and must hand over collected data to authorities upon warrant. The official directive read as follows:

“When required by order/instruction of CERT-In, for the purposes of response to cyber incidents, protective and preventive actions related to cyber incidents, the service provider/intermediary/data center/legal entity is mandated to take action or provide information or any such assistance to CERT-In”.

More specifically, the directive demands that:

“Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:

a. Validated names of subscribers/customers hiring the services

b. Period of hire including dates

c. IPs allotted to / being used by the members

d. Email address and IP address and time stamp used at the time of registration /onboarding

e. Purpose for hiring services

f. Validated address and contact numbers

g. Ownership pattern of the subscribers / customers hiring services.”

The new directives will take effect on June 22, which may force many privacy-focused VPN service providers and crypto platforms that do not collect and store critical user data to shut down their operations.

CERT-in claims that the new directives’ main purpose is to help them take action against cybercrime within six hours; however, the variety of data they ask platforms to store and deliver has drawn attention due to concerns of privacy among users.

Mixed Reactions to the Directives

In regards to privacy issues, a user wrote that, “our government wants to control people’s private lives and our constitution doesn’t allow it, but to be honest, no one in India is very conscious about personal data.”

However, some crypto exchange owners welcomed the step, saying it will help prosecute tax evaders. Unocoin CEO Sathvik Vishwanath told Cointelegraph:

“This is a good move and helps crypto players get clarity on what data they would be storing. The data would help prosecute tax evaders and any crime that occurs using cryptocurrencies.”

At this point, it is unclear whether the new rules would apply to crypto exchanges that operate only in India or to foreign exchanges that offer their services to Indians as well. However, looking at the crypto guidelines above, it might well be applicable to all platforms.

The new data collection directives come at a time when the country’s regressive crypto tax policy has already led to a sharp decline in trading volume and user activity on Indian crypto exchanges.

By Audy Castaneda


Please enter your comment!
Please enter your name here