Justice Yashwant Varma directed CERT-In to submit its reply to the petition filed by VPN provider, SNTHostings, within four weeks
The CERT-In directions mandate data centres, VPNs, VPS providers and cloud service providers to collect and hold data for five years
The new mandates issued by CERT-In have received a lot of criticism and many VPN providers have already pulled out their servers from India
The Delhi High Court on Wednesday (September 28) issued a notice to the Centre on a petition challenging the legality of the directions issued by the Indian Computer Emergency Response Team (CERT-In) for virtual private network (VPN) service providers in the country in April this year.
The petition was filed by SnTHostings, which provides VPN and virtual private server (‘VPS’) services.
The Internet Freedom Foundation (IFF), which provided legal assistance to SnTHostings, noted that the directions present an existential crisis to SnTHostings as they mandate collection of various personal data and its sharing with “CERT-In on demand and/or on the occurrence of a cyber-security incident”.
Justice Yashwant Varma directed CERT-In to submit its reply within four weeks.
As per Bar and Bench, the court’s order said, “Issue notice. The present petition challenges the directions given in the circular dated April 28, 2022 by CERT-In. The petitioner submits that Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 are vague leave the petitioner in a quandary.”
Advocate Samar Bansal, appearing for the petitioner, argued that the directions were issued despite CERT-In not being empowered to do so and that they affect the right to trade of SnTHostings, the IFF said.
The court will next hear the matter on December 9, 2022.
The CERT-In directions mandate data centres, VPNs, VPS providers and cloud service providers to collect and hold data for five years. These data includes validated names of subscribers/customers hiring the services, email addresses, IP addresses and time-stamps used at the time of registration/on-boarding, period of hire including dates, IPs allotted to/being used by the members, and more.
As per legal experts, the directions are technologically difficult to comply with.
In June, SnTHostings sent a legal representation to the Ministry of Electronics and Information Technology (MeitY) asking to recall the directions, which were set to come into force from July 27.
“At the outset, the Directions have been issued without any consultation with stakeholders and have reportedly already resulted in major entities such as ExpressVPN completely removing their servers from India and others, such as ProtonVPN, classifying India as a “high-risk country”, the VPN service provider said in the letter.
“This demonstrates how detrimental these Directions could be for investment in India and our business reputation internationally,” it added.
Many other VPN providers had also protested against the government’s move. Last week, Proton VPN said that it was removing its physical servers from India in response to the country’s “regressive new surveillance law”. It joined other foreign VPN service providers like ExpressVPN, Surfshark, and NordVPN, who have already pulled their servers out of the country as the government refused to budge on the directions despite requests and widespread criticism.