Indian IT Ministry instructs crypto exchanges to keep user data for 5 years


India’s Computer Emergency Response Team (CERT-in), which reports to the Ministry of Electronics and Information Technology, issued a new policy on Thursday, forcing crypto exchanges, virtual private network (VPN) providers and data centers to use a variety of Data store user data for up to five years.

Under the newly enacted policy, crypto exchanges operating in India are required to store client names, ownership patterns, contact information and various other data.

Crypto exchanges and VPN service providers are also obliged to report every cyber incident within six hours of its occurrence and to hand over the collected data to the authorities if ordered to do so. The official instruction read:

“When required by order/direction of CERT-In, the service provider/intermediary/data center/entity is mandated to take action or information or the like for the purpose of cyber incident response, protection and preventive measures related to cyber incidents to provide such support for CERT-In.”

The new guidelines come into effect on June 22, which could force many VPN service providers and privacy-focused crypto platforms that don’t collect or store critical user data to shut down operations.

Related: Brain Drain: India’s Crypto Tax Forces Budding Crypto Projects to Relocate

CERT-in claims the new guidelines should help them take action against cybercrime within six hours, but the range of data platforms are expected to store and transfer has caused a stir among users due to privacy concerns. A user wrote:

“Our government wants to control people’s private lives and our constitution doesn’t allow it, but to be honest nobody in India is aware of personal data.”

However, some crypto exchange owners welcomed the move, saying it will help prosecute tax evaders. Unocoin CEO Sathvik Vishwanath told Cointelegraph:

“This is a good move and helps crypto players have clarity about the data they would be storing. The data would help prosecute tax evaders and any crimes committed using crypto.”

At this point, it is not clear whether the new rules would only apply to crypto exchanges that only operate in India or to foreign exchanges that also offer their services to Indians. However, if you look at the previous crypto guidelines, it could well be applicable to all platforms.

The new data collection policies come at a time when the country’s regressive crypto tax policy has already caused a sharp drop in trading volume and user activity on Indian crypto exchanges.