Pune-based VPN service SnTHostings has filed a lawsuit to challenge the legality of India's new data law in court.
After it came into force on September 25, new CERT-In directives require all VPN providers based in the country to store users' personal data for up to five years. Companies will also be forced to hand this information over to authorities upon request. Those failing to comply with the new rules can face up to one year in prison.
This is why some of the best VPN services around have already announced their decision to shut down their Indian servers to safeguard their customers' privacy.
ExpressVPN's exit from India in June kickstarted the exodus. Then, there was Surfshark's pledge to remove its physical servers, Hide.me's announcement to pull the plug, and NordVPN's departure citing fears over freedom of speech. Proton VPN was the last to join the exiting group claiming that the new law is against everything it stands for.
SnTHostings contacted privacy advocates at the Internet Freedom Foundation (IFF) in April, right after the new rules were announced. After an inconclusive pledge to CERT-In to withdraw such directions, the New Delhi-based organization is now legally assisting the provider.
SnTHostings filed a petition in Delhi HC challenging the directions on the ground that they violate right to trade, the right to privacy of users and that they are beyond the powers conferred by IT Act, 2000 (5/n)September 28, 2022
Legal action
"The entities mentioned above could leave India because they are international corporations which can afford to continue providing their services in other jurisdictions. However, for the Petitioner, relocating to another country would be extremely expensive and will drastically undermine the viability of his business," read the legal petition.
Beside virtual private network software, SnTHosting has also been providing VPS, Remote Desktop Protocol and Dedicated Root Services to over 15,000 customers since 2013.
As IFF explained in a blog post, the petition seeks to "protect innovation, VPN service providers and privacy of internet users in India."
They especially stressed the fact that CERT-In new directives are against everything secure VPN services represent, violating both the right to privacy of citizens and the right to trade for the company.
"In addition to the above, maintaining data of every activity of every customer is incredibly expensive and such a direction effectively drives small or medium enterprises such as SnTHostings out of business," IFF wrote.
The hearing is set to begin on December 9, with Advocate Samar Bansal appearing on behalf of SnTHostings.
Why is India's new data retention law controversial?
Despite India's new data retention law coming as an effort to clamp down on cybercrime, its regulations have been sparking many concerns across the tech sector and privacy advocating groups.
According to SnTHosting the "unnecessary" creation of new databases with unique and previously unavailable private information of persons can "increase possible targets for rogue elements to exploit."
What's more, India's backsliding media freedom and the infamy of recording more internet shutdowns than any other country in the world amplify even more the worries that intrusive regulations could be misused to foster mass surveillance.
VPN providers are just some of the companies subjected to the new CERT-In directives. Other services include data centers, cloud storage services, virtual private servers, and cryptocurrency exchanges.
The amount of stored private information could be massive, across thousands of different companies. This opens a few doubts about new regulations' feasibility.
And it's not just privacy worries. As IFF pointed out, India's new data law could put out of business a lot of medium and small firms. This will have a negative impact on its fast-growing IT sector too, perhaps translating into higher fees for India VPN users overall.
