According to the new data law, all VPN providers are required to collect/store user information for at least five years – even after users stop using the service – and hand it over to India’s Computer Emergency Response Team (CERT-In). The new VPN order in India, which is set to become effective on June 27, 2022, will require companies to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data. “The new data law initiated by India’s Computer Emergency Response Team (CERT-In), intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private,” the company wrote in a blog post. “The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it.” As a result of the new data law, ExpressVPN removed its Indian-based physical VPN servers on June 2, 2022. However, users in India will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in the country. The “virtual” India VPN servers will physically not be located in the country but instead, be physically located in Singapore and the UK. The user needs to simply select the VPN server location, “India (via Singapore)” or “India (via the UK)”. ExpressVPN also clarified that users will experience ‘minimal difference’ because of this change. It’s worth noting that the VPN service provider has been operating their “India (via the UK)” virtual server locations for several years. These virtual locations use the registered IP address that matches the country a user chooses to connect to, while the server is physically located in another country. ExpressVPN said that virtual locations are used, where necessary, to provide faster, more reliable connections. “As for Internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government,” the company added. ExpressVPN assured that it is focused on protecting privacy and freedom of expression online. It never collects logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. It also never stores connection logs, which means no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations. “Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” it added. While ExpressVPN is the first VPN service provider to exit India, companies like NordVPN, ProtonVPN, PureVPN, and Surfshark are also contemplating removing their servers from the country if no other options are available.