Delhi High Court on September 28 issued notice to the Union Government regarding the cybersecurity directions of Indian Computer Emergency Response Team (CERT-In) in response to a petition, which argued that the April 28 directions was unconstitutional and it violated privacy of citizens.
The petition, which was filed by SnTHostings, a virtual private network (VPN) service provider, on September 23, requested the Delhi High Court to set aside the directions. Digital rights body Internet Freedom Foundation provided legal assistance to SnTHostings.
"The 2022 Directions presented an existential crisis to SnTHostings as they mandated it to collect a range of personal data and share it with CERT-In on demand and / or on the occurrence of a cyber-security incident," IFF said.
Justice Yashwant Verma of the Delhi HC heard detailed submissions from Samar Bansal who was representing SnTHosting and directed CERT-In to provide a response to the Petition, stating that the issue requires consideration.
The court has directed the Union government to respond within four weeks and will now hear the matter on December 9.
Earlier in June, Pune-based SnTHostings had sent a letter to the Ministry of Electronics and Information Technology (MeitY), asking it to recall these directions that went into force on June 27.
"Since they (government) did not reply, we assisted SnTHostings in filing a writ petition before the Delhi High Court," IFF said.
This is probably the strongest opposition the controversial CERT-In directions have faced till now. Until now, the criticism against the directions were limited to representations of industry bodies and stakeholders and also to removal of India-based servers of foreign VPN providers such as ProtonVPN, ExpressVPN and so on.
Although, Netherlands-based Surfshark had said that they were in discussion with Indian lawyers to explore the possibility of challenging the directions, nothing came of it.
Grounds of the petition
Beyond the scope of powers of CERT-In: The petition argued that certain portions of the directions were beyond the scope of CERT-In's powers. For instance, the provision that directed all body corporates to enable logs of their systems and store them or 180 days (Direction 4), and the provision that asked service providers to maintain customer information for a period of 5 years or longer were deemed to be beyond CERT-In's powers (Direction 5).
Directions violate right to carry on business: The petition argued that Directions 4 and Directions 5 violated Article 19(1)(g) of the Constitution that guarantees right to carry on business.
"Maintaining data of every activity of every customer is incredibly expensive and such a direction effectively drives small or medium enterprises such as SnTHostings out of business," the petition argued.
It is important to remember that the extended deadline for MSMEs to comply with the CERT-In directions ended on September 25, and as Moneycontrol reported, such business providers are still not ready to comply to the long demands of the directions.
Violates right to privacy: As has been argued by multiple VPN service providers, and industry associations, provisions of the directions that require service providers to collect personal details regarding their customers was a violation of privacy.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
