The Delhi High Court has agreed to hear a challenge to the Indian Computer Emergency Response Team’s April directives, which heightened compliance requirements for VPN service providers, among others.
The petition was filed by SnTHostings in the high court and was heard by a bench presided over by Justice Yashwant Varma, according to a statement issued by Internet Freedom Foundation, which provided legal help in the case.
In the April directives, the national agency for cyber security asked virtual private server and virtual private network operators to record and store information about their subscribers for a period of five years.
VPN service providers are required to gather the following information:
- Validated names of subscribers hiring the service.
- Period of hire, including dates.
- IPs allotted to the user.
- Email address and time stamp used at the time of registration.
- Purpose for hiring services.
- Validated address and contact numbers.
- Ownership pattern of the subscriber who hires the service.
The mandate to retain the information for five years following the cancellation or withdrawal of the registration may be further extended.
The petitioner has challenged CERT-In’s directives, arguing that it went beyond CERT-In’s authority by asking service providers to store personal and invasive information about customers.
The petitioner has challenged the CERT-In’s directions on the grounds that the directives exceeded CERT-In’s authority by requiring service providers to store personal and invasive information about customers.
The company has also argued that the directions effectively stop VPN services such as those provided by the SnTHostings and violate their right to carry on business as guaranteed by the constitution.
The petition said this also does not provide any incentive for the user to continue using a VPN service based in India.
The high court has given CERT-In four weeks to respond to the challenge. The case will be heard again in court on Dec. 9. Bloomberg