Delhi HC permits SnTHostings to respond to the CERT-In’s defence of the 2022 Directions

Tl;dr

In September, 2022, SnTHostings filed a petition before the Delhi High Court, challenging the legality of Direction No. 20(3)/2022-CERT-In dated April 28, 2022 (‘2022 Directions’) by The Indian Computer Emergency Response Team (‘CERT-In’). SnTHostings provides hosting, Virtual Private Network (‘VPN’) and Virtual Private Server (‘VPS’) services. The 2022 Directions presented an existential crisis to SnTHostings as they mandated it to collect a range of personal data and share it with CERT-In on demand and / or on the occurrence of a cyber-security incident. On the last date of hearing, the Delhi High Court directed CERT-In to reply to the Petition within four weeks. CERT-In filed a reply on December 8, 2022. On December 9, 2022, Justice Prathiba Singh of the Delhi High Court granted four weeks to SnTHostings to file a rejoinder to CERT-In’s reply and listed the case for March 9, 2022.  Advocate Samar Bansal appeared on behalf of SnTHosting, and IFF provided legal support.

Why should you care?

As discussed in detail here, the 2022 Directions impact how service providers over the internet conduct their business to the detriment of their users' privacy. They mandate a range of entities, such as hosting, VPN and VPS services, to maintain a record of every activity of their customers constantly. After collecting such data, these service providers could be required to hand over the information to CERT-In. The 2022 Directions do not impose any limitations on how long CERT-In could retain this data or whom it could share it with. If service providers do not comply with these directions, they may face imprisonment for over a year. Thus, the 2022 Directions put your privacy at risk by potentially making your activities over the internet available to an undetermined number of entities.

Summary of SnTHosnting’s Petition

Direction (iv) of 2022 Directions require service providers to mandatorily enable logs of all information and communications technology (“ICT”) systems and maintain them for a rolling period of 180 days within the Indian jurisdiction. Direction (v)  further requires collection and retention logs of extremely invasive personal information of users such as - validated names, addresses, contact numbers, and email addresses of subscribers, period of hire, Internet Protocols allotted to members, the purpose of hire and ownership pattern of subscribers - for a period of 5 years, even if a user chooses to cancel their subscription. Once such data is collected, the service provider can be required to hand over the information to CERT-In, whenever asked for.

The purpose of a VPN is to ensure that users could access the internet without sharing their personal information with third parties. By mandating VPN services to collect, store and then share the personal data of their customers with an undetermined number of entities, the 2022 Directions do not provide any incentive to users to continue using VPN services based in India and, in effect, put VPN service providers such as SnTHostings at risk from shutting down their operations in India. This is in violation of Article 19(1)(g) of the constitution, which guarantees the right to carry on business.

Accordingly, SnTHosting’s petition asked the Court to set aside Direction (iv) and Direction (v) of 2022 Directions.

Proceedings before the Delhi High Court

Justice Prathiba Singh of the Delhi High Court heard the matter on December 9, 2022 where Advocate Samar Bansal argued that the 2022 Directions were vague, beyond the statutory framework and affected the right to trade of SnTHostings. He further informed the court that the CERT-In had filed a counter affidavit to the Petition on December 8, 2022, but it was not on record yet. We note that the counter affidavit is now on record, and we are making it public in the interest of transparency and public conversation. It is available here. We will file a response to it in the next 4 weeks and will update you when it is filed.

We are grateful to Advocate Samar Bansal for representing SnTHostings. He was assisted by Advocates Gautam Bhatia, Vrinda Bhandari, Abhinav Sekhri, Tanmay Singh, Krishnesh Bapat, Ramya Dronamraju and Gayatri Malhotra.

The 2022 Directions have a substantial impact over the internet by restricting how service providers can conduct their business, in detriment to the privacy of their users. Its prohibitions on VPN Services which are a privacy-advancing technology, puts the viability of small or medium size service providers at risk. This petition on behalf of SnTHostings seeks to protect innovation, VPN service providers and privacy of internet users in India. IFF will continue to provide legal support in this case and advance its mission of securing digital rights of Indians.

Important Documents

  1. Writ Petition filed by SnTHostings challenging paragraphs 4 and 5 of 2022 Directions. (link)
  2. Counter Affidavit of the Union Government (link)
  3. Direction No. 20(3)/2022-CERT-In dated April 28, 2022 issued by CERT-In. (link)
  4. IFF’s explainer on the 2022 Directions titled ‘CERT-In Directions on Cybersecurity: An Explainer’. (link)
  5. Representation on behalf of SnTHostings to CERT-IN (link)