A set of rules issued recently by Indian cyber security authorities threaten to undermine the very privacy benefits VPNs are designed to enhance. Following the passage of the new directives, VPN providers operating in India are legally obligated to keep a host of private user data on file for a period of five years. This data includes users’ legal identities, IP addresses assigned to them, email addresses, registration timestamps, usage durations, physical addresses, and contact numbers, even if users cancel their subscriptions. The directives were issued by the Indian Computer Emergency Response Team under Section 70B of the country’s Information Technology Act, 2000.
VPNs offer numerous benefits for information security protection. Businesses and government organisations use VPNs to protect sensitive data online. Organizations can utilise their local VPNs to give employees remote access to network resources and provide a secure conduit for storing and sharing information. The directives contradict the primary purpose of VPNs, which is to conceal users’ IP addresses from Internet Service Providers (ISPs) and other outside parties. It prevents ISPs and other parties from being able to observe the websites a user is visiting as well as the data that is being sent and received online. The majority of VPN service providers don’t keep records of their users’ actions.
The rules have been making headlines as they violate the right to communicate freely covered under the ambit of the Right to Privacy. The fundamental rights that may be used by those wishing to contest the Directions include the right to privacy guaranteed by Article 21 of the Indian Constitution and the right to freedom of speech and expression guaranteed by Article 19(1)(a) of the Indian Constitution, which would include the right to communicate privately. Moreover, the directives will not withstand the test of proportionality laid down in the Puttaswamy judgement.
Mass surveillance in disguise
The guidelines’ requirements for data retention and localization raise serious questions about state-sponsored mass monitoring. Additionally, service providers will be required to offer near-real-time information for the purposes of responding to cyber incidents as well as taking protective and preventive measures linked to them. Such regulations have the potential to enable mass surveillance in the absence of adequate oversight and a data protection framework to guard against misuse.
From an international perspective, the Directive violates several major international statutes. According to the Directive, all companies must mandatorily report cyber incidents to CERT-In within six hours of being brought to their attention. The Directive violates GDPR’s breach reporting requirements that provide feasible incident reporting timelines of at least 72 hours, commensurate with global best practices.
There is currently no legal obligation on data fiduciaries to notify affected users in case a breach takes place and this information being made available to CERT. Moreover, the directions currently do not lay down any guidance informing the customer or the end-user in case of a data breach. This violates Article 13(3) of the GDPR which lays down that a controller who intends to process personal data for a purpose other than that for which it was collected, the controller shall notify the data subject regarding the same. Under Article 19, the data controller is obligated to communicate any rectification or erasure of personal data to each recipient the data has been disclosed to. It also calls for informing the data subject about the recipients of such data. Since affected users are not notified in case of a data breach, the Directives are violative of Article 13 and 19 of the GDPR.
Under Article 17 of the GDPR, the data subjects have the right to request the erasure of any personal data pertaining to them and the provider is liable to oblige without undue delay. With the new directive, sensitive personal data of customers is held for a period of five years even if it is not necessary.
Way forward
VPNs are a crucial weapon in the fight for internet neutrality, which enables consumers to get around ISPs’ illegitimate, arbitrary website banning policies. Such onerous demands for data collection and transfer would have an adverse effect on the privacy and individual freedom of VPN users as well as VPN service providers. Companies are having trouble following government regulations and are thinking about leaving the Indian digital market. If everyone refuses to follow through, VPN services would essentially be outlawed in India. Following the introduction of the new regulations, notable players such as ExpressVPN have removed their servers from India.
According to the constitutional framework, the Directive may need to pass the legality, purposefulness, and proportionality tests in relation to the privacy standards established by the Indian courts. The restriction that any such Directives must impose on a fundamental right must be the least restrictive option based on the proportionality criteria. In this instance, it may be argued that seeking information on a case-by-case basis rather than in real-time as the Directives call for would be the least onerous choice.
However, a counter approach to the legality of the Directives could be adopted as the right to privacy is not an absolute right. The right to privacy has already been deemed a fundamental right by the Apex Court. It is enforceable, but if there is a conflict between the national interest and privacy, then the national interest will take precedence. Therefore, if people believe they have a strict right to privacy, that expectation may not actually be true.
Lishika Sahni and Kritin Bahuguna are law students at Dr. Ram Manohar Lohiya National Law University in India.
Suggested citation: Lishika Sahni and Kritin Bahuguna, Data Privacy or Data Breach: The CERT-In Directives, JURIST – Student Commentary, July 11, 2022, https://www.jurist.org/commentary/2022/07/Lishika-Kritin-India-certin-directive-vpn-privacy/.
This article was prepared for publication by Rebekah Yeager-Malkin, Deputy Managing Commentary Editor. Please direct any questions or comments to she/her/hers at commentary@jurist.org