New VPN Norms – Government’s Take On Privacy

VPN has always been a subject of debate in India. 

As per AtlasVPN’s report, India had over 348 million VPN downloads in 2021. Despite having such popularity in 2021, the government recommended a VPN ban in India for privacy concerns. Although the ban didn’t occur, the Indian government has introduced some new VPN norms or regulations for users, mainly for VPN companies. 

In April 2022, India’s Computer Emergency Response Team (CERT) announced a new regulation that VPN companies in India will have to collect and store customers’ data for at least five or more years. 

Unsurprisingly, these new VPN Norms are creating a lot of buzzes. How will this new law affect VPNs? How will it impact users? Are VPNs illegal in India? There are lots of questions arising. 

To answer all your questions, we’ve compiled everything you need to know about the new VPN norms in India. But before digging deeper, let’s start with the basics: What is a VPN? 

What Is A VPN?

A virtual private network (VPN) is a technology that allows you to connect securely to private networks over public networks. It creates an encrypted connection between your computer and a server so that your internet traffic is encrypted and can’t be intercepted by anyone else.

With a VPN, you can access websites in countries where they might not be available, or you can use it to get around censorship (a lot of countries have strict firewalls that block specific sites), secure remote work, and browse the internet anonymously.

What Are The New VPN Norms?

The key takeaways from the new VPN rules are:

  • According to the new law, all VPNs must gather and store user data (user names, physical address, email address, and phone numbers) for five or more years. 
  • VPN companies also have to keep a log of the reason behind using the service. 
  • VPNs should record all the IP addresses used by users to register. 
  • Along with VPN services, virtual service network providers, data centers, and cloud service providers have also been requested to keep track and store similar user data. 
  • VPN services must report cybersecurity incidents to CERT within six hours of becoming aware of them. 

What Is the Government’s Take On These New VPN Norms?

The main purpose of the government behind imposing these new VPN rules is to improve the “cyber security posture” and ensure people have access to a “safe and trusted internet”.

The CERT also informed that they had identified gaps in safeguarding against online threats. That’s why they’ve published the new norms to prevent cyber attacks. 

“If you are a VPN provider, if you are a data centre operator, if you are a cloud provider, and if you’re an enterprise, you have an obligation to know who’s using your VPN infrastructure… If there is a detected cyber incident or cyber breach — from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce the data,”Rajeev Chandrasekhar,  Union Minister of State for Electronics and Information Technology

How The New VPN Norms Impact Users & Companies 

The new rules received a lot of backlashes from the VPN companies. After all, the primary goal of VPN services is not to collect users’ personal information. 

The new norms will force these companies to store customer data which will increase costs and affect user privacy. 

India is among the top 10 VPN users around the globe. Various companies and individuals use VPN services to safely access private WiFi networks, remain anonymous, and many more. 

Several techies, students, and companies use VPNs to protect their data from third-party apps.

But with the new norms, they must go through a KYC process while registering a VPN. So, all VPN users will have their private data exposed to the government. 

It is also unclear how the government may use this data in the future. This raises a concern about the right to privacy for every individual. 

The Internet Freedom Foundation said the new norms lead to more concerns, such as the private enterprises and government “having more data than necessary”.

Several VPN companies like NordVPN, ProtonVPN, SurfShark, and ExpressVPN, have said that they are planning not to follow the newly imposed rules of India. After all, privacy is the main reason behind users investing in their premium plans. 

As per several VPN companies, they’ll continue to offer their no-logs policy to the users and threaten to pull back their service from India. 

The Bottom Line 

Despite all the backlashes from cybersecurity experts, stakeholder companies, and business advisory groups, the Indian government is pretty much firm on their new VPN norms. 

“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out.” – Rajeev Chandrasekhar,  Union Minister of State for Electronics and Information Technology

The privacy experts have sought public consultation on this matter, asking for more tech industry involvement to find a solution that suits every individual. Lastly, it’s needless to say that it will be interesting to see if the VPN companies manage to implement the new norms before the deadline of September 25, 2022.   

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs, easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit for more information about us.
You can reach out to our team at

Written By:


Written by an insightful Signzian intent on learning and sharing knowledge.