India mandates VPN providers to appoint compliance officers for cybercrime tracking
The Indian government is intensifying efforts to enforce stricter compliance with cybersecurity regulations for virtual private network (VPN) service providers operating in the country. Officials have indicated that companies will be required to appoint designated compliance personnel and maintain records as mandated by law.
This move follows renewed discussions within the government to strengthen enforcement amid concerns that VPN services are being misused to conceal identities, evade law enforcement, and access blocked websites and online platforms. A senior government official stated, 'There has been rampant abuse of VPN services. The objective is not to monitor ordinary users but to ensure investigative agencies can trace those involved in cybercrime and other unlawful activities.'
The proposed measures aim to establish a clearer compliance mechanism, including the appointment of compliance officers or authorised representatives responsible for responding to lawful requests from enforcement agencies and the Indian Computer Emergency Response Team (CERT-In). This mirrors the compliance architecture under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which require significant social media intermediaries to appoint similar officers.
The renewed focus brings back the spotlight on CERT-In's directions issued in April 2022, requiring VPN providers, cloud services, virtual private server providers, and data centres to collect and retain subscriber information for at least five years, even after a customer discontinues the service. The data includes names, physical addresses, contact numbers, email addresses, IP addresses, service usage period, and purpose of availing the service. This information must be furnished to authorities during lawful investigations of cyber incidents.
Government officials have maintained that the framework aims to improve India's ability to investigate ransomware attacks, financial fraud, phishing campaigns, and other cyber offences, where perpetrators often use anonymisation tools. They reiterated that subscriber information is sought only during lawful investigations, not indiscriminate surveillance.
The directions previously triggered strong opposition from VPN companies and digital rights advocates. Several providers argued that mandatory data retention contradicts their 'no-logs' policies and undermines privacy protections. ExpressVPN removed its physical servers from India, opting to serve users through virtual server locations abroad. Other providers adopted similar models.
Following industry representations, the government extended the compliance deadline from June 27 to September 25, 2022, to allow more time for adjustment.