Following ExpressVPN's exit from India, Surfshark's pledge to remove its physical servers and yesterday Hide.me's announcement to pull the plug, the Panama-based provider confirmed its commitment to protecting the privacy of its customers.
"As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data," said Head of Public Relations at NordVPN Laura Tyrylyte.
"Therefore, we are no longer able to keep servers in India."
Expected to come into force in roughly two weeks, India's new CERT-In directives will force VPN companies to keep users' data for up to five years. These will include sensitive information like IP addresses, real names and usage patterns. Providers will also have to share this information to authorities when required.
"In the past, similar regulations were typically introduced by authoritarian governments in order to gain more control over their citizens. If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech," Laura Tyrylyte from NordVPN told us.
What about NordVPN users in India?
This means that NordVPN's subscribers based in the country will have to pick one of its available servers based outside Indian borders. Currently, the provider has 5,500+ fast and reliable servers across 60 countries - some of which are located in surrounding areas, like Thailand, Vietnam and Indonesia.
People in India will then be able to protect their anonymity and bypass any restrictions as usual. However, they may want to enable the NordVPN split tunneling option to exclude the VPN protection from those apps that require a local IP to grant access.
NordVPN Indian servers will remain active until June 26, the day before CERT-In regulations are supposed to come into force. "In order to ensure that our users are aware of this decision, we will send notifications with the full information via the NordVPN app starting June 20," said Tyrylyte.
Why is India's new data retention law controversial?
While India's new data retention law comes as an attempt to fight cybercrime, its regulations have been sparking many concerns across the tech sector and privacy advocate groups.
Due to a backsliding media freedom and the infamy of recording more internet shutdowns than any other country , experts are worried that such intrusive regulations can easily be misused to foster mass surveillance and undermine citizens' civil liberties.
On top of that, VPN providers are just some of the companies that will have to comply with new CERT-In directives. Other services include data centers, cloud storage services, virtual private servers (VPS), and cryptocurrency exchanges.
The amount of stored private information will then be massive, throughout thousands of different companies. This opens not to a few doubts about new regulations' feasibility. On this point, Laura Tyrylyte from NordVPN said: "It is hard to imagine that all, especially small and medium enterprises, will have the proper means to ensure the security of such data."
And it's not just privacy worries. India's new data law is believed to have a negative impact on its fast-growing IT sector too, perhaps translating in higher fees for India VPN users overall.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to email@example.com