The Delhi HC has issued notice in a petition filed by SnTHostings challenging the legality of Direction No. 20(3)/2022-CERT-In dated April 28, 2022 (‘2022 Directions’) by the The Indian Computer Emergency Response Team (‘CERT-In’). SnTHostings provides hosting, Virtual Private Network (‘VPN’) and Virtual Private Server (‘VPS’) services. The 2022 Directions presented an existential crisis to SnTHostings as they mandated it to collect a range of personal data and share it with CERT-In on demand and / or on the occurrence of a cyber-security incident. Mr. Samar Bansal appeared on behalf of SnTHosting. Justice Yashwant Verma of the Delhi HC heard detailed submissions from the counsel and directed CERT-In to provide a response to the Petition, stating that the issue requires consideration. IFF provided legal assistance.
Why should you care?
The 2022 Directions substantially impact how service providers over the internet conduct their business, to the detriment of the privacy of their users. They mandate a range of entities, such as hosting, VPN and VPS services to constantly maintain a record of every activity of their customers. After collecting such data, these service providers could be required to hand over the information to CERT-In. The 2022 Directions do not impose any limitations on how long CERT-In could retain this data or whom it could share it with. If service providers do not comply with these directions, they may face imprisonment for over a year. Thus, the 2022 Directions put your privacy at risk by potentially making your activities over the internet available to an undetermined number of entities.
CERT-In Directions contain broad and vague data logging and storing requirements
CERT-In notified the 2022 Directions on April 28, 2022 under Section 70-B of the Information Technology Act, 2000 (‘IT Act, 2000’). Direction IV and V of these directions require a range of entities, including VPN providers and service providers who host servers to:
- Mandatorily enable logs of all information and communications technology (“ICT”) systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction; and
- Register and maintain extremely detailed and invasive personal information of users – such as validated names, address, contact numbers, and email address of subscribers, period of hire, Internet Protocols allotted to members, the purpose of hire and ownership pattern of subscribers – during subsistence of their engagement and 5 years or longer, as mandated by unknown laws, even after any cancellation or withdrawal of registration of a user.
Non-compliance with these directions is a punishable offence carrying imprisonment of up to a year and / or fine.
CERT-In Directions may be potentially unconstitutional
SnTHosting, which is a sole proprietorship that provides hosting, VPN, VPS, Remote Desktop Protocol and Dedicated Root Services to over 15,000 customers through its website, SnTHostings, approached us in April 2022 to challenge the onerous and vague obligations imposed upon them by the 2022 Directions. SnTHostings initially sent a representation to CERT-In asking them to withdraw the directions. Since they did not reply, we assisted SnTHosting in filing a writ petition before the Delhi HC on the following grounds:
- Beyond the scope of powers conferred on CERT-In: Direction IV and V of the 2022 Directions are beyond the scope of powers conferred to CERT-In by Section 70B(6) of IT Act, 2000. The provision permits CERT-In to call for information from service providers which they maintain in the usual course of their business. Direction IV and V of the 2022 Directions go beyond Section 70B(6) by mandating service providers to maintain personal and invasive details regarding their customers.
- Violates the right to carry on a business: Article 19(1)(g) of the Constitution guarantees the right to carry on business. Directions IV and V effectively prohibit VPN services such as SnTHostings from operating in India. The purpose of VPN is to ensure that users could access the internet without sharing their personal information with third-parties. By mandating VPN services to collect, store and then share personal data of their customers with an undetermined number of entities, the 2022 Directions do not provide any incentive to users to continue using VPN services based in India. In addition to the above, maintaining data of every activity of every customer is incredibly expensive and such a direction effectively drives small or medium enterprises such as SnTHostings out of business.
- Violates the right to privacy: As stated above, Direction IV requires service providers to maintain logs for a rolling period of 180 days. Direction V requires service providers to collect personal details regarding their customers, and then store such details as long as they are providing services to them and for 5 years once they stop providing services.
Proceedings before the Delhi High Court
Justice Yashwant Varma of the Delhi High Court heard the matter today where Advocate Samar Bansal argued that the 2022 Directions were issued even though CERT-In was not empowered to do so, and that they affected the right to trade of SnTHostings.
The court has directed the Union Govt. to respond within 4 weeks and will now hear the matter on December 9, 2022. We are grateful to Advocate Samar Bansal for appearing on behalf of SnTHostings. He was assisted by Vrinda Bhandari, Abhinav Sekhri, Tanmay Singh, Vinayak Mehrotra, Krishnesh Bapat, Anandita Mishra, Vedant Kapur and Madhav Gupta.
The 2022 Directions substantially impact how service providers over the internet conduct their business, to the detriment of the privacy of their users. They affect the viability of small or medium size service providers who use information technology to provide their services. They also effectively prohibit VPN services which are a privacy-advancing technology. This petition on behalf of SnTHostings seeks to protect innovation, VPN service providers and privacy of internet users in India. IFF will continue to provide legal support in this case and advance its mission of securing digital rights of Indians.
- Writ Petition filed by SnTHostings challenging paragraphs 4 and 5 of 2022 Directions. (link)
- Direction No. 20(3)/2022-CERT-In dated April 28, 2022 issued by CERT-In. (link)
- IFF’s explainer on the 2022 Directions titled ‘CERT-In Directions on Cybersecurity: An Explainer’. (link)
- Representation on behalf of SnTHostings to CERT-IN (link)