India-based VPN to challenge new data law in court

Many VPNs already left country to safeguard customer privacy

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Pune-basedVPNservice SnTHostings has filed a lawsuit to challenge the legality of India’s new data law in court.

After it came into force on September 25, new CERT-In directives require all VPN providers based in the country to store users' personal data for up to five years. Companies will also be forced to hand this information over to authorities upon request. Those failing to comply with the new rules can face up to one year in prison.

This is why some of thebest VPNservices around have already announced their decision to shut down their Indian servers to safeguard their customers' privacy.

ExpressVPN’s exit from Indiain June kickstarted the exodus. Then, there wasSurfshark’s pledge to remove its physical servers,Hide.me’s announcement to pull the plug, and NordVPN’s departureciting fears over freedom of speech. Proton VPN was the last to join the exiting group claiming that the new law isagainst everything it stands for.

SnTHostings contacted privacy advocates at the Internet Freedom Foundation (IFF) in April, right after the new rules were announced. After an inconclusive pledge to CERT-In to withdraw such directions, the New Delhi-based organization is now legally assisting the provider.

SnTHostings filed a petition in Delhi HC challenging the directions on the ground that they violate right to trade, the right to privacy of users and that they are beyond the powers conferred by IT Act, 2000 (5/n)September 28, 2022

Legal action

“The entities mentioned above could leave India because they are international corporations which can afford to continue providing their services in other jurisdictions. However, for the Petitioner, relocating to another country would be extremely expensive and will drastically undermine the viability of his business,” read thelegal petition.

Beside virtual private network software, SnTHosting has also been providingVPS, Remote Desktop Protocol and Dedicated Root Services to over 15,000 customers since 2013.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Any VPN with servers in India must now store activity logs on users>How new Indian privacy law will have ‘negative impact on people’s privacy’>Our pick of the best India VPN around right now

As IFF explained in ablog post, the petition seeks to “protect innovation, VPN service providers and privacy of internet users in India.”

They especially stressed the fact that CERT-In new directives are against everythingsecure VPNservices represent, violating both the right to privacy of citizens and the right to trade for the company.

“In addition to the above, maintaining data of every activity of every customer is incredibly expensive and such a direction effectively drives small or medium enterprises such as SnTHostings out of business,” IFF wrote.

The hearing is set to begin on December 9, with Advocate Samar Bansal appearing on behalf of SnTHostings.

Why is India’s new data retention law controversial?

DespiteIndia’s new data retention lawcoming as an effort to clamp down on cybercrime, its regulations have been sparking many concerns across the tech sector and privacy advocating groups.

According to SnTHosting the “unnecessary” creation of new databases with unique and previously unavailable private information of persons can “increase possible targets for rogue elements to exploit.”

What’s more, India’sbacksliding media freedomand the infamy of recordingmore internet shutdowns than any other countryin the world amplify even more the worries that intrusive regulations could be misused to foster mass surveillance.

VPN providers are just some of the companies subjected to the new CERT-In directives. Other services include data centers,cloud storage services, virtual private servers, and cryptocurrency exchanges.

The amount of stored private information could be massive, across thousands of different companies. This opens a few doubts about new regulations' feasibility.

And it’s not just privacy worries. As IFF pointed out, India’s new data law could put out of business a lot of medium and small firms. This will have a negative impact on its fast-growing IT sector too, perhaps translating into higher fees forIndia VPNusers overall.

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

3 reasons why PIA fell in our best VPN rankings