>
Pune-based VPN service SnTHostings has filed a lawsuit to challenge the legality of India’s new data law in court.
After it went into effect on September 25, new CERT-In guidelines require all VPN providers in the country to store users’ personal data for up to five years. Companies will also have to hand over this information to authorities on request. Anyone who does not comply with the new rules risks up to a year in prison.
This is why some of the best VPN services out there have already announced their decision to shut down their Indian servers to protect the privacy of their customers.
ExpressVPN’s departure from India in June was the start of the exodus. Then there was Surfshark’s promise to remove its physical servers, Hide.me’s announcement to pull the plug, and NordVPN’s departure over fears of free speech. Proton VPN was the last to join the exciting group that claimed the new law goes against everything it stands for.
SnTHostings reached out to privacy attorneys at the Internet Freedom Foundation (IFF) in April right after the new rules were announced. After an undecided promise to CERT-In to withdraw such instructions, the New Delhi-based organization is now legally assisting the provider.
SnTHostings has filed a petition in Delhi HC challenging the directions on the grounds that they violate the right to trade and the right to privacy of users and fall outside the powers conferred by the IT Act, 2000 (5/n)September 28, 2022
Legal action
“The above entities could leave India as they are international companies that can afford to continue to provide their services in other jurisdictions. However, for the petitioner, moving to another country would be extremely expensive and drastically undermine the viability of his business. ” Read the legal petition (opens in new tab).
In addition to virtual private network software, SnTHosting has also been providing VPS, Remote Desktop Protocol and Dedicated Root Services to more than 15,000 customers since 2013.
As IFF explained in a blog postwants the petition “to protect innovation, VPN service providers and privacy of internet users in India”.
In particular, they highlighted the fact that CERT-In’s new guidelines go against everything that represents secure VPN services, violating both citizens’ right to privacy and the right to act for the company.
“On top of the above, keeping records of every activity of every customer is incredibly expensive and such a direction effectively drives small or medium-sized businesses like SnTHostings out of business,” IFF wrote.
The hearing will begin on December 9, with attorney Samar Bansal appearing on behalf of SnTHostings.
Why is the new data retention law in India controversial?
Despite the new data retention law in India coming as an attempt to tackle cybercrime, the regulation has raised many concerns in the tech sector and privacy advocacy groups.
According to SnTHosting, the “unnecessary” creation of new databases containing unique and previously unavailable private information of individuals “may increase potential targets for malicious elements to exploit.”
What’s more, India’s declining media freedom and the shame of recording more internet outages than any other country in the world, there are even more concerns that intrusive regulations could be misused to promote mass surveillance.
VPN providers are just some of the companies subject to the new CERT-In guidelines. Other services include data centers, cloud storage services, virtual private servers, and cryptocurrency exchanges.
The amount of private information stored can be enormous, spanning thousands of different companies. This raises doubts about the feasibility of new regulations.
And it’s not just privacy concerns. As IFF noted, India’s new data law could wipe out many medium and small businesses. This will also negatively impact the burgeoning IT sector, perhaps translating into higher fees for Indian VPN users in general.