The Indian Computer Emergency Response Team (CERT-in), which falls under the Ministry of Electronics and Information Technology, issued a new directive on Thursday, forcing crypto exchanges, virtual private network (VPN) providers and data centers to store a wide range of user data for up to five years.
Under the newly issued directive, crypto exchanges operating in India will be required to store customers’ names, ownership patterns, contact information and various other data.
Crypto exchanges and VPN services providers are also required to report any cyber incident within six hours of its occurrence and must hand over the collected data to the authorities upon order. The official directive read:
“When required by order/direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider/intermediary/data center/body corporate is mandated to take action or provide information or any such assistance to CERT-In.”
The new directives will come into force on June 22, which may force many VPN service providers and privacy-focused crypto platforms that don’t collect or store critical user data to shut their operations.
CERT-in claims the new directives are intended to help them take action against cyber crimes within six hours, however, the range of data they are asking platforms to store and hand over has raised eyebrows owing to privacy concerns among users. One user wrote:
"Our government wants to control the private life of the people and our constitution does not allow this but to be honest, no one in India is much conscious about personal data."
However, some crypto exchange owners welcomed the step, saying it will help prosecute tax evaders. Unocoin CEO Sathvik Vishwanath told Cointelegraph:
“This is a good move and helping crypto players to have clarity about the data that they would be storing. The data would help prosecute tax evaders and any crimes happening using crypto.”
At this point, it is not clear whether the new rules would be applicable to crypto exchanges' operating in India only or to foreign exchanges offering their services to Indians as well. However, looking at the earlier crypto directives, it could well be applicable to all the platforms.
The new data collection directives come at a time when the regressive crypto tax policy in the country has already led to a steep decline in trading volume and user activity on Indian crypto exchanges.