As CERT-In guidelines come into force, VPN companies flag their concern for the right to privacy of their users

The guidelines are disproportionate since they lack procedural safeguards which allow usage of data to be limited to what is necessary for achieving their objective.

—–

What happened on September 25 which is a source of concern to VPN companies?

EARLIER this year, the Indian Computer Emergency Response Team (‘CERT-In’) released guidelines mandating Virtual Private Networks (‘VPNs’) to store certain information of their customers. The guidelines have now come into force from September 25, with the expiry of an extension from June 27, as companies were granted time to comply with the same, since many VPN providers halted operations after the guidelines were notified.   But the extension of the deadline from June 27 to September 25 seems to have had little effect with many VPN companies from across the globe pulling their servers out of India in a bid to protect their users’ privacy. 

The requirements under the guidelines are twofold – (i) information such as names of customers, allotted IP addresses, IP address while registering, purpose for hiring VPN services, and so on, need to be stored for five years; (ii) customer logs that can include data such as timestamps, bandwidth used, sites visited, files downloaded, and so on, need to be stored for 180 days.

While the move has been alleged to be an invalid invasion of privacy, the government has argued that it is a reasonable restriction needed to combat cybercrimes. The apparent concerns on both sides – regarding breach of privacy and fighting crime – are justified, and thus it becomes necessary to balance them.

In this piece, we use the three-prong test laid down by the Supreme Court in its landmark judgment in Justice (Retd.) K.S Puttaswamy versus Union of India (2017), of (i) legality, (ii) legitimate aim, and (iii) proportionality, to argue that the guidelines are indeed invalid. In doing so, we stress on the need to have adequate procedural safeguards in such guidelines, considering the absence of a data protection framework. We will also emphasise the specific nature of VPNs to argue for a higher threshold of reasonableness in assessing validity of restrictions.  

Also read: MeitY’s direction to VPN companies to share user data or face jail invites concern over privacy

What are the CERT-In guidelines?

CERT-In, a national agency responsible for maintenance of cyber security, released the guidelines under Section 70(B)(6) of the Information Technology Act, 2000 (‘IT Act’). The requirements are twofold – (i) information such as names of customers, allotted internet protocol (‘IP’) addresses, IP address while registering, purpose for hiring VPN services, and so on, need to be stored for five years; (ii) customer logs that can include data such as timestamps, bandwidth used, sites visited, files downloaded, and so on, need to be stored for 180 days. CERT-In, through an order/direction, can ask for such data for “protective and prevented actions related to cyber-crime.” 

The move has stirred much debate, which has been especially heated in light of two factors. Firstly, VPNs are seen specifically as providers of privacy. The expectation of the same from them is higher. By creating secured networks through which users can connect to the global network, VPNs protect users’ data from being viewed by Internet Service Providers (‘ISP’), which is what conventionally happens. In fact, a ‘No-Logs’ (not storing customer logs) policy is a major selling point for many VPN providers. With VPN providers halting their operation in India, the guidelines are seen to be nullifying VPN’s ability to provide privacy. 

Secondly, there is an absence of a robust data protection framework in India. The guidelines mandate the storage of names, contacts and addresses, all of which are personal data sets, since the individual who they belong to can be identified through them. Their leakage can pose various harms. India’s extant data protection framework, which is guided by the IT Act read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘IT Rules’), is currently insufficient, as would be explained later Therefore, it is feared that the policy can have considerable negative impacts in the absence of adequate safeguards.

Both of these factors are important for our analysis. Before that, let us understand why the guidelines infringe privacy, and what the correct threshold is against which their reasonableness should be measured. 

Also read: CERT-In directions 2022: New variant of an old virus?

What is the three-prong test outlined in the right to privacy judgment?

Puttaswamy held that “informational privacy is a facet of right to privacy”. The right denotes that one has meaningful control over the sharing and use of their information without coercion. In interpreting the right, the Supreme Court emphasises the value of consent in using someone else’s data. Thus, a policy concerning storage of data that can be accessed by the government without the consent of the data subject prima facie breaches the individual’s right to privacy.

But the right is not absolute and is subject to reasonable restrictions. What constitutes these reasonable restrictions is a more complex issue. Puttaswamy had a total of six judgements – one plurality opinion written by Justice Dr. D.Y. Chandrachud for four of the judges on the bench, and five concurring opinions. Since there was no single majority judgement, no binding test to assess the reasonableness of restrictions was laid down. However, one can look at the concurring opinion given by Justice S.K. Kaul alongside Justice Dr. Chandrachud’s opinion to arrive at a test, since any point that they agree on would de facto win the approval of the majority.

Justice Dr. Chandrachud endorsed the three prongs of legality, legitimate aim, and proportionality. Justice Kaul, endorsing the same three prongs, also vouched for the need to have “procedural guarantees against abuse of such interference”. However, Justice Dr. Chandrachud also endorsed the need to account for procedure in its proportionality prong, reasoning that it “emanates from the procedural and content based mandate of Article 21.”

Justice Dr. Chandrachud endorsed the three prongs of legality, legitimate aim, and proportionality. Justice Kaul, endorsing the same three prongs, also vouched for the need to have “procedural guarantees against abuse of such interference”. However, Justice Dr. Chandrachud also endorsed the need to account for procedure in its proportionality prong, reasoning that it “emanates from the procedural and content based mandate of Article 21.” It has been argued elsewhere that Justice Kaul’s test is an elaborate version of Justice Dr. Chandrachud’s test by explicitly accounting for procedural safeguards.

This article submits an alternative – that Justice Dr. Chandrachud’s three-prong test more appropriately accounts for Justice Kaul’s conceptualisation. As has been elsewhere argued, the tests reflect the European standard of proportionality. Justice Dr. Chandrachud’s opinion makes explicit references to European jurisprudence in explaining proportionality. However, in Europe, as would be explained later, procedural safeguards are analysed to decide the prong of proportionality, instead of it being seen as an individual prong. Since proportionality is seen as a balancing act between the harms and the benefits of a measure, procedural safeguards effectively influence this balance. Therefore, it is submitted that it is a better approach to analyse the two aspects together.

Even if this specific contention is not accepted, the article’s argument nevertheless stands. The tests given by Justices Dr. Chandrachud and Kaul are disjunctive – that is, even if a single prong is not satisfied, the restriction being tested would be unreasonable. Since both of the opinions considered proportionality as a prong, it can at least be conclusively said that there was majority agreement on the contention that if the prong of proportionality is not satisfied, the restriction is unreasonable.

The next section argues that this prong is not met, and therefore, both the tests given by Justices Dr. Chandrachud and Kaul fail, whether conceptualised separately or together.

Before analysing the proportionality prong, note that the article concedes the initial two prongs. Firstly, the IT Act provides guidelines for the “prevention” of “cyber crimes” and since VPNs do pose a probable threat to cybersecurity, the guidelines are per se legal. Secondly, since Puttaswamy accepted that crime prevention is a legitimate goal, which is the apparent objective of the guidelines, the second prong is also met. 

Also read: New CERT-In directions raise grave concerns for data privacy

Why is there a lack of proportionality in the CERT-In guidelines?

The third prong, of proportionality, requires an act to be appropriate for achieving the objective pursued by the act, and not exceed the limits of what is necessary to achieve the said objective. In explaining its contours, the judgements in Digital Rights Ireland Ltd. versus Minister for Communication, Marine and Natural Resources (2014) by the Court of Justice of the European Union (‘CJEU’) and R. versus Spencer (2014) by the Canadian Supreme Court were cited by Justice Dr. Chandrachud’s opinion. Both have great contextual significance for our instant case.

In Digital Rights Ireland, the issue before the CJEU was whether a certain data retention directive that mandated ISPs to retain all traffic data for six to 24 months was violative of Articles 7 and 8 of the European Union Charter. The articles guarantee the right to privacy and the right to protection of personal data, respectively. The Grand Chamber of the CJEU made use of the three-prong proportionality test; conceding the first two prongs, it held that the directives fail to satisfy the third prong. The central thrust of its reasoning was that there was an absence of procedure that would ensure that the usage of the data is limited to what is strictly necessary for achieving the directive’s purpose. The court flagged certain concerns, all of which are manifest in the CERT-In guidelines. 

Proportionality requires an act to be appropriate for achieving the objective pursued by the act, and not exceed the limits of what is necessary to achieve the said objective.

Firstly, there was no criteria to regulate the subsequent use of data by competent authorities – that is, specific procedures that can dictate how data is used for the government’s objective. In the CERT-In guidelines, similarly, there is a blanket power to use data to combat ‘cyber-attacks’ without specifying how that data should be used in a limited manner. Secondly, there was no guiding nexus between use of data and the seriousness of offences. The extent of permissible use for different crimes of different intensities was not specified. Such a procedure is also absent in the instant guidelines. Thirdly, the data was stored for an indeterminate period without discrimination. The instant guidelines similarly require storage for an arbitrary duration of five years without any specification.

The crux of Digital Rights Ireland’s reasoning, based on limited use necessary for achieving a certain objective, reflects the principle of ‘purpose limitation.’ The principle has been endorsed in the Indian jurisdiction, further highlighting the importance that it should be given. In 2012, a Group of Experts was constituted by the Planning Commission to give a report on privacy. It endorsed ‘purpose limitation’ as an important principle of data protection. The report was later endorsed by Puttaswamy, thus gaining judicial approval. The Justice B.N. Srikrishna-led Committee of Experts on data protection, constituted in 2017 to draft a data protection bill, also endorsed the principle as being vital for data protection. 

Therefore, an application of Digital Rights Ireland‘s interpretation of proportionality, which was endorsed in Puttaswamy, renders the guidelines disproportionate and thus unconstitutional due to a lack of procedural safeguards that inhibits the guidelines from achieving their purpose in the least restrictive way. 

The fear of a lack of procedure is amplified because of an inadequate data protection framework. The extant framework is primarily informed by the Section 43A of the IT Act read with the IT Rules. Section 43A allows for compensation in cases where reasonable security practices result in wrongful loss to an individual. But, in interpreting this reasonableness, if one looks at the IT Rules, they would discover that the most vital obligations (such as obtaining consent and purpose limitation) only apply to ‘sensitive personal data’ – which can exclude personal data metrics such as names, contact information and so on (which the guidelines require to be stored). While such data may be covered under the in-progress Data Protection Bill, the IT Rules are not of much help. Thus, the extant legal framework opens the guidelines to major risks.

The instant case of VPNs requires its specific nature, of being viewed as a place that provides privacy, to be given special consideration. Such specific considerations should be factored in policy making, as opposed to blanket or wide restrictions.

Finally, it is also pertinent to note that these specific guidelines actually would have to meet a higher-than-ordinary threshold of reasonableness. It is because of a higher ‘expectation of privacy’ that is attached to VPNs. In Spencer, the court had to decide whether the name, address, telephone number, and the IP address of an individual collected from his ISP is valid evidence. The court answered the question in the negative and held that there was a legitimate expectation of privacy on the internet, which no individual would have expected to be breached by a ‘simple request by police.’

In our instant case, it is argued that any expectation of privacy would be higher. As explained, VPNs are specifically used with the purpose of hiding data usage. It is used to maintain the ‘private space of an individual’ – which Puttaswamy has explained to be the essential nature of privacy. Therefore, the need to have a robust data protection framework and extensive procedural safeguards is heightened in the specific case of VPNs.

Also read: Cyber security versus right to privacy: Some global concerns

What lies ahead?

On the basis of the three-prong test laid down in Puttaswamy, the recent guidelines issued by CERT-In that mandate VPN providers to store and maintain certain information of its customers are unreasonable. The guidelines are disproportionate since they lack procedural guidelines which allow usage of data to be limited to what is necessary for achieving the guidelines’ objective. There is a need to have strong procedural safeguards in such invasive policies to ensure against arbitrary usage. This need is heightened, as shown, due to the absence of a robust data protection framework in India. 

Additionally, the instant case of VPNs requires its specific nature, of being viewed as a place that provides privacy, to be given special consideration. Such specific considerations should be factored in policy making, as opposed to blanket or wide restrictions. The same is extremely vital to balance the right to privacy with the State’s mandate to stop crimes.