India has mandated a five-year data storage period for crypto exchanges operating in the nation. All virtual asset service providers will essentially have to store customer information they get via their KYC identification forms for Indian users. The rule also applies to all firms providing Virtual Private Network (VPN) services to Indians. The law has been brought in by India’s Computer Emergency Response Team (CERT-In). It also instructs concerned companies to report any threat or compromise to security networks within six hours of identifying.
“To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents” the government-backed agency said in a statement.
Industry insiders have expressed concerns about the slew of corporate changes that are foreseeable because of this new law, at this point where the crypto ecosystem is still in its early establishment stages in India.
“I think this request from the government of India is extraordinary when it comes to the preservation of data for long, five years. So, I believe they have to completely change their business models if they want to comply with the new rules,” Anshul Dhir, Co-founder and Chief Operating Officer (COO) of EasyFi Network told Gadgets 360. India-founded EasyFi is a Layer 2 DeFi Lending protocol for digital assets powered by Polygon blockchain.
Sensitive data such as IP addresses with timestamps and time zones, transaction IDs, public keys, and wallet addresses have been named by the CERT-In in the list of information that digital assets firms need to store for five years.
Additional tracking data such as the nature and date of transaction along with details on the amount transferred have also been listed to be maintained and saved.
The CERT-In has justified its decision citing national security and cyber safety reasons.
This rule, seeking sensitive user information, could lead to a largescale departure of customers from affected services, Kazim Rizvi, the Founding Director of Indian think tank ‘The Dialogue’ told Gadgets 360.
Many companies use VPNs to secure their systems and operations and additional burden on VPN players. As per Rizvi, a lawyer by degree, this law could deter them from operating in India, thus impacting the security of businesses and privacy of users in the nation.
The public policy entrepreneur has suggested the Indian government to refrain from “burdening” crypto, VPN, and Cloud players in the country.
“It is imperative that we refrain from placing additional burdens which may not help CERT-In achieve its objectives, while at the same time might affect the growth of relevant sectors in India. We believe the additional data collection may not be necessary for achieving the cyber security objectives. Also, for validation for customers, all service providers will have to develop additional infrastructure, which will increase costs of operation,” Rizvi added.
The EasiFi chief had also seconded Rizvi in predicting that the CERT-In rule could be detrimental to the ongoing growth trajectory of the impacted sectors.
As per the Indian government, these directions will become effective after 60 days.
Along with crypto exchanges, custodian wallet providers have also been included on the list of virtual asset industry players that will be impacted by this rule.
India has been introducing new rules in order to keep transactions of virtual digital assets, traceable. The government aims to curb potential misuses of digital assets for money laundering and terror financing.
The tax rules on digital asset transactions went live in India last month.
Days later, research firm Crebaco reported that the volume of cryptocurrency trading in India nosedived by upto 70 percent since the tax laws came into effect.
The country is not looking to give any tax relaxations or incentives to crypto players setting up the industry ecosystem. In March, industry experts had raised concerned on India’s restricted approach to the virtual assets industry.