CERT-IncybersecurityLegal

Delhi HC Permits SnTHostings to Withdraw Petition Challenging the Legality of 2022 Directions

SnTHostings' petition at the Delhi HC challenging the CERT-In 2022 Directions has been withdrawn on instructions from the petitioner.

Internet Freedom Foundation
Internet Freedom Foundation

18 March, 2024
3 min read

Donate Now

Tl;dr

In September 2022, SnTHostings filed a petition with the Delhi High Court, challenging the legality of the Indian Computer Emergency Response Team’s (‘CERT-In’) Direction No. 20(3)/2022-CERT-In. SnTHostings, which provides hosting, VPN, and VPS services, was required by the 2022 Directions to collect and share personal data with CERT-In upon request or during a cybersecurity incident. The petition was subsequently withdrawn on instructions from the petitioner on March 14, 2024.

Why should you care?

The 2022 Directions substantially impact how service providers over the internet conduct their business, to the detriment of the privacy of their users. As discussed previously, these directions mandate a range of entities, such as hosting, VPN and VPS services to constantly maintain a record of every activity of their customers.

After collecting such data, these service providers could be required to hand over the information to CERT-In. The 2022 Directions do not impose any limitations on how long CERT-In could retain this data or whom it could share it with. If service providers do not comply with these directions, they may face imprisonment for over a year. Thus, the 2022 Directions put your privacy at risk by potentially making your activities over the internet available to an undetermined number of entities. 

Approaching the Delhi High Court

Direction (iv) of 2022 Directions require service providers to mandatorily enable logs of all information and communications technology (“ICT”) systems and maintain them for a rolling period of 180 days within the Indian jurisdiction. Similarly, Direction (v)  further requires collection and retention logs of extremely invasive personal information of users such as validated names, addresses, contact numbers, and email addresses of subscribers, period of hire, Internet Protocols allotted to members, the purpose of hire and ownership pattern of subscribers, for a period of 5 years, even if a user chooses to cancel their subscription. Once such data is collected, the service provider can be required to hand over the information to CERT-In, whenever asked for. 

A VPN's purpose is to protect user privacy by preventing third parties from accessing personal information. However, the 2022 Directions require VPN providers to collect, store, and share customer data with multiple entities, discouraging users from using Indian-based VPN services and potentially forcing providers like SnTHostings to shut down in India. This is in violation of Article 19(1)(g) of the constitution, which guarantees the right to carry on business. Accordingly, SnTHosting’s petition asked the Court to set aside Direction (iv) and Direction (v) of 2022 Directions.

Proceedings before the Delhi High Court

Justice Yashwant Varma issued notice on September 28, 2022, on the matter with CERT-In filing a reply on December 8, 2022. Subsequently, Justice Pratibha Singh heard the matter on December 9, 2022, where Advocate Samar Bansal argued that the 2022 Directions were vague, beyond the statutory framework and affected the right to t of SnTHostings.

On March 14, 2024, the matter was heard by a single judge bench of Justice Subramonium Prasad where the counsel for the petitioner, on instructions from the petitioner, sought permission to withdraw the petition. The court granted permission to withdraw the petition, noting that since the writ petition had been withdrawn, it had not considered the case on merits.

We are grateful to Advocate Samar Bansal for appearing on behalf of SnTHostings. He was assisted by Advocates Vrinda Bhandari, Abhinav Sekhri, Tanmay Singh, Krishnesh Bapat and Gayatri Malhotra.

Important Documents

  1. Writ Petition filed by SnTHostings challenging paragraphs 4 and 5 of 2022 Directions (link)
  2. Counter Affidavit of the Union Government (link)
  3. Direction No. 20(3)/2022-CERT-In dated April 28, 2022, issued by CERT-In (link)
  4. IFF’s explainer on the 2022 Directions titled ‘CERT-In Directions on Cybersecurity: An Explainer’ (link)
  5. Representation on behalf of SnTHostings to CERT-In (link)
  6. IFF blog titled ‘Delhi HC permits SnTHostings to respond to the CERT-In’s defence of the 2022 Directions’ (link)
  7. Order dated March 14, 2024 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Supreme Court issues notice in Sushant Singh's transfer petition challenging website blocking

Sushant Singh has sought transfer of his writ petition from the Bombay High Court to the Supreme Court, challenging Rules 8 and 16 of the IT Blocking Rules, 2009. On 02.05.2025, the Supreme Court issued notice and tagged it with SFLC’s pending petition raising similar issues.

6 min read

2
Section 44(3) and the Systematic Dismantling of the RTI Act: A Fact Check to Ashwini Vaishnaw

Section 3 has no relevance to the RTI amendment, and Mr. Ashwini Vaishnaw's response fails to address the core concern: Section 44(3) weakens citizens’ right to information and transparency in governance. IFF does a fact check. 

6 min read

3
Budget Session 2025: A Digital Rights Review

The Budget Session of Parliament, held from January 21 to April 4, 2025, included a recess from February 13 to March 10 for Standing Committee reviews. Key discussions covered various national issues, including digital rights and freedoms.

12 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!