CLUBX

Delhi High Court issues notice in VPN Service provider's plea against CERT-In directions regarding personal data sharing

Read Time: 04 minutes

Synopsis

The plea contests the CERT-ln directive requiring SnTHostings to gather a variety of personal data and provide it to CERT-In upon request and/or in the event of a cyber-security incident.

The Delhi High Court on Wednesday issued notice in a plea challenging the direction issued by the Indian Computer Emergency Response Team (CERT-ln) mandating SnTHostings to collect a range of personal data and share it with CERT-In on demand and/or on the occurrence of a cyber-security incident.

A bench of Justice Yashwant Varma issued notice and asked CERT-In to submit its response to the plea. 

The bench was hearing a plea filed by SnTHosting which provides hosting, Virtual Private Network (‘VPN’), and Virtual Private Server (‘VPS’) services. The plea has challenged Direction No. 20(3)/2022-CERT-In which allegedly requires that in case of any cyber-security incident, the information collected by SnTHostings and other target entities must be shared with the CERT-In. The plea stated that it puts existential crisis to SnTHostings.

Advocate Samar Bansal appearing for the SnTHostings submitted that the 2022 directions were issued even when CERT-In is not authorized to do so, additionally, it affects the right to trade of SnTHostings.

The direction allegedly mandated:

A) mandatorily enable logs of all information and communications technology (“ICT”) systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction.

B) register and maintain extremely detailed and invasive personal information of users – such as validated names, addresses, contact numbers, and email addresses of subscribers, period of hire, Internet Protocols allotted to members, the purpose of hire and ownership pattern of subscribers – for 5 years or longer, as mandated by law, even after any cancellation or withdrawal of registration of a user.

The plea submitted that it provides VPN services to its users to access the internet semi-anonymously and is nothing short of a public good at a time when cyberspace is rife with dangers to one’s liberty, reputation, property, and dignity. 

However, "the direction drastically alters the nature of the service being offered that they effectively prohibit SnTHostings from providing VPN services altogether", the plea stated. 

Case Title: SnTHostings Vs. Union of India 

Also Read