The new directive, published by India’s cyber watchdog, the Indian Computer Emergency Response Team (CERT-In), comes into force on 25-9-2022, and compels VPN (virtual private network) providers to store the name of the customer, period of hire, user's IP address, user's e-mail address, purpose of hiring services, contact numbers and ownership pattern of the subscriber's data as part of their know your customer (KYC) policy for five years.1
According to the national directive VPNs, as well as cloud service providers, data centres and cryptocurrency exchanges, must collect exact, detailed customer data even after users delete their accounts or cancel their subscriptions. Businesses must preserve usernames, IP addresses, usage trends and other forms of information as part of the rule, as well as report “unauthorised access to social media accounts”. And those who refuse to cooperate could potentially face a year in prison.
Keeping in mind the primary usage of VPNs, which is to keep the virtual identity, the IP address of the user, private so that the user could stay clear of the website tracker, the present rules seem inconsistent and arbitrary. As a result of the new rules, VPN service providers will be required to keep servers, and the user's privacy will no longer be their primary concern. The same also put the privacy of the users under jeopardy and put their activities under surveillance. While the Government stand is that the present rules are to counter the cybercrimes that are taking place with the help of VPNs, the measures to stop the same is an arbitrary use of power which is also a violation of constitutional right to privacy.
Thus, the present article is an attempt to examine the new VPN rules against the backdrop of constitutional right to privacy, functionality of contemporary virtual network and rising trends of cryptocurrency in India.
Challenging the constitutionality of the VPN rules
As per the Global VPN Usage Report 2020, India accounts for 45% of the total usage of internet through VPN, which makes around 20% of the total population of internet users in India.2 The new rules propose to regulate and keep an eye on the personal data of such a huge population raises serious privacy concerns. The ability of users to rely on VPNs, data centres, and cloud storage facilities for genuine and lawful purposes may also be jeopardised. Furthermore, with the rise in large-scale data breaches at several technological enterprises, users' data stored by service providers are at risk at any given time.
The new VPN rules poses serious threat to right to privacy of the users enumerated under Article 213 of the Constitution as the rules direct the service providers to store the personal data of users for 5 years.4 In the landmark judgment by the Supreme Court in K.S. Puttaswamy (Aadhaar-5J.) v. Union of India5, it has been clearly held that data protection is necessary since it would otherwise impinge on privacy, which, according to the referral Bench, would violate Article 21 of the Constitution. By requiring VPNs to store exhaustively detailed data, they fundamentally jeopardise the privacy of users who wish to browse the internet without being watched by the government or private companies. The guidelines already presume that those seeking anonymity through VPN have something to hide.
Not only have the new rules encroached upon the right to privacy of the users but also the non-compliance by the VPN companies would invite punitive actions under the IT Act, 2000.6 Such vindictive measures by the Government undermines the principle of proportionality envisaged under the Indian Constitution since the security of few internet users is coming at the cost of the privacy of the rest. Storing of personal data of more than 270 million VPN users7 just to keep in check the cybersecurity threats is in no way a proportional measure to achieve the objective of the new rules. It has already been held by the Court in Malak Singh v. State of P&H8 that in the name of surveillance over habitual offenders, the privacy of a citizen should not be infringed under Article 21 and Article 19(1)(d)9 of the Constitution of India.
Safeguarding the user's privacy: Through Bills and legislations
It was rightly opined by Clive Humbly in 2006 that “Data is the new oil”. After one-and-a-half decades, the statement rings true in the present global technological context. On the one hand, technology is tremendously beneficial, yet it can also be abused terribly. In order to protect the data from any misuse, nations have already begun to adopt rules and regulations to protect it.10
In recent years, the right to privacy and impediment on protecting private data kept by public and commercial organisations have been hotly debated. The proliferation of digital footprints and online transactions has necessitated the development of acceptable privacy standards. India’s Government had mooted the Personal Data Protection Bill way back in 2017 and in the latest report released by the Joint Parliamentary Committee, which was tabled in Parliament, they have put aside the former version of the Bill, which had been in the making for the last five years as they did not comprehensively address the current requirements of the changing technological landscape of the nation. The proposed report hints at new legislation that can aim at and cater to the endless sea of changes in the globalised technological atmosphere.11 It aims to deal with personal and non-personal data, establishing one single regulatory body named data protection authority and brought other numerous changes.12 Such prominent inclusions in the former Bill are meant to face a lot of criticism due to privacy concerns in the handling of data and its regulation. Such changes are blatantly linked with the new prescribed VPN rules as their verbatim matches the proposed recommendations given by the Joint Parliamentary Committee. To implement such rules, it becomes mandatory to establish adequate data servers and storage systems within the country to meet the demands of the proposed Bill. Not only the inclusion of non-personal data and localisation norms, but the Government must also ensure the safety of such data because serious apprehensions of data breach and threats are sufficiently evident these days, and any mishap can cause a grave threat to the security and privacy of the nation as a whole.13
Threat to the existence and functionality of VPNs
The rules to be implemented by the end of September 2022 have also caused a severe concern for the VPN companies in India. The primary aim of a VPN is to keep the IP address of the users private and assist them in remaining away from any website tracker which could track the user data and location. VPNs add an encrypted coating that assigns a shadow IP address to the user and minimises the chance of any mishap or eavesdropping on our data on the web. After the enactment of the new change, it will become mandatory for the VPN companies to store servers and user data which means that the core functionality of the companies i.e. privacy, will be ruptured.14
Directing VPN providers to gather and exchange information about their customers, on the other hand, is strange, given that the fundamental reason for utilising a VPN service is to avoid leaving any traces. It also needs to be noted that the transactions for the subscription of such VPNs are done through cryptocurrencies, which keeps the anonymity of the users making transactions and therefore makes it unfeasible to get the users’ details. Most VPN companies have no-logs policies and usually expressly state that they do not keep users’ activity data, except few which collect such data to examine and resolve connection difficulties.15 It is also a grey area how the 5 years retention policy will help strengthen the nation’s cybersecurity.
According to the Internet Freedom Foundation, a digital rights advocacy group based in New Delhi, the restrictions are “severe” and will jeopardise VPN users’ “individual liberty and privacy”.
In conclusion, it has to be understood that the ultimatum mandated by the new rules which is an attempt to counter cybercrime could potentially be the very same reason to commit one. Excessive data collection and disclosure laws will jeopardise individual liberty and privacy, affecting not just VPN service providers but also VPN users. Under such a conundrum, it is unclear how well the VPN service providers will comply with the orders of the Government as prominent VPN providers, like Express VPN and Proton VPN have pulled off their servers from India. Such changes in laws by the Government are not only violative of the constitutional principles but also threatens the users' privacy and the mere existence of such service providers in India.
† Third year student, University of Study and Research in Law, Ranchi, Jharkhand. Author can be reached at email@example.com.
†† Third year student, University of Study and Research in Law, Ranchi, Jharkhand.
1. Ministry of Electronics and Information Technology, Indian Computer Emergency Response Team (CERT-In), No. 20(3)/2022-CERT-In (issued on 28-4-2022).
2. Global Web Index <https://www.top10vpn.com/assets/2020/03/Top10VPN-GWI-Global-VPN-Usage-Report-2020.pdf> (last visited 25-5-2022).
3. Constitution of India, Art. 21.
4. Ministry of Electronics and Information Technology, Indian Computer Emergency Response Team (CERT-In), No. 20(3)/2022-CERT-In (issued on 28-4-2022).
6. Ministry of Electronics and Information Technology, Indian Computer Emergency Response Team (CERT-In), No. 20(3)/2022-CERT-In (issued on 28-4-2022).
7. Sunainaa Chadha, “Explained: What the New VPN Rules Means for Internet Users in India”, Times of India, (12-5-2022) <https://timesofindia.indiatimes.com/business/india-business/explained-what-the-new-vpn-rules-means-for-internet-users-in-india/articleshow/91510719.cms>.
9. Constitution of India, Art. 19(1)(d).
10. Shubhodip Chakraborty, “Personal Data Protection Bill, 2019 — A Critical Analysis: Old Wine in a New Bottle”, (2020) PL February 66.
11. Joint Parliamentary Committee, 2021, Report of Joint Committee on Personal Data Protection Bill, 2019 <https://22.214.171.124/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/pr_files/Press%20Release%20on%20the%20presentation%20Report.pdf> (accessed on 24-5-2022)
12. Surabhi Agarwal, “Fresh Legislation May Replace Data Protection Bill”, The Economic Times (24-5-2022).
13. Shubhodip Chakraborty, “Personal Data Protection Bill, 2019 — A Critical Analysis: Old Wine in a New Bottle”, (2020) PL February 66.
14. Sunainaa Chadha, “Explained: What the New VPN Rules Means for Internet Users in India”, Times of India, (12-5-2022), <https://timesofindia.indiatimes.com/business/india-business/explained-what-the-new-vpn-rules-means-for-internet-users-in-india/articleshow/91510719.cms>.
15. Jagmeet Singh, “Government Orders VPN Providers to Store and Share User Data: All You Should Know”, NDTV Gadgets 360° (25-5-2022) <https://www.gadgets360.com/internet/features/india-vpn-order-directions-user-data-collect-share-june-update-all-you-need-know-2949294>.