Can’t regulate VPN apps, only MeitY can: TRAI
TRAI informs DoT it can't regulate VPN apps, stating they're governed by the IT Act, and recommends amendments for oversight if needed.
The Telecom Regulatory Authority of India (TRAI) has told the Department of Telecommunications (DoT) that it is legally not authorised to give recommendations on the regulation of virtual private network (VPN) apps.
In a letter dated February 27, TRAI said that VPN apps and their regulation is entirely governed by the IT Act and its underlying rules, and is within the regulatory ambit of the ministry of electronics and technology (MeitY). The regulator said this after the DoT sought its recommendations on monitoring and controlling VPN misuse.
“[A]s application VPN service providers are not licensed entities under the Telegraph Act, TRAI is not empowered under the TRAI Act, 1997, to furnish regulatory recommendations on Application VPNs,” the letter signed by TRAI secretary Atul Kumar Chaudhary said. “Hence, the reference seeking recommendations on monitoring and controlling VPN misuse falls outside TRAI’s regulatory scope and is hereby returned.”
The three-page letter was sent in response to DoT’s January 28 letter, seeking inputs from TRAI about the regulatory framework and security concerns associations with “Application Layer VPNs (Layer 7 VPNs)”.
In its letter, the DoT had highlighted different issues related to VPN misuse including cybersecurity threats, gaps in regulatory oversight, non-compliance with IT Rules, 2021, and operations of foreign VPN service providers.
TRAI said that as per the TRAI Act, TRAI’s regulatory purview is limited to service providers licensed by the DoT under the Indian Telegraph Act, and TRAI can only make recommendations on licensing, competition, spectrum management, and technological improvements concerning telecom services.
In a letter dated June 20, 2024 –– referenced in TRAI’s February 27 response –– the DoT had sought inputs on “Monitoring and Controlling the misuse of VPNs and regulations thereof”.
The TRAI said that the “monitoring and controlling the misuse” of VPN applications is done through the Information Technology Act, 2000. It mentioned IT Rules, 2021; Interception, Monitoring, and Decryption of Information Rules, 2009; CERT-In Directions of April, 2022 and Section 70B(6) of the Act in particular.
Section 70B(6) of the Act empowers the CERT-In to issue advisories, seek information, and give directions to service providers, intermediaries (including VPN service providers) and data centres.
It said that “essential enabling resources” for a VPN app, including encryption for internet applications, SSL/TLS certification, IP address allocation, and cloud service, fall within the ambit of the IT ministry. Citing the September 27 amendment on allocation of business rules, it said that cybersecurity under IT Act was within MeitY’s domain.
The TRAI said that VPN apps operate at application layer and the regulator was already awaiting DoT’s final decision on its recommendations related to “Regulatory Mechanism for OTT Communication Services”.
It further said that if the government wants TRAI to “assume regulatory oversight” over VPN apps, it should amend the TRAI Act so that entities that are regulated under the Information Technology Act, 2000, can be regulated by TRAI “under cyber-related regulatory functions”.
“TRAI would also require capacity building in cybersecurity, and critical resource protection in due course to effectively undertake such responsibilities,” the letter said.
