Violation of the right to privacy and right to freedom of speech and expression, going beyond the scope of the parent legalisation, and restricting the right to do business in India are some of the legal grounds on which the cybersecurity directive issued by the Indian government on April 28 can be challenged, lawyers who spoke with MediaNama stated.
The directive, issued by the Indian Computer Emergency Response Team (CERT-In), has been criticised by cybersecurity and privacy experts, VPN providers, and tech companies for a long list of reasons, and some VPN companies even indicated that they might legally challenge the directive. But unsurprisingly, the legality of the rules is complex and not black-and-white.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What are the legal grounds under which the cybersecurity directive was issued?
- Section 70B of IT Act: CERT-In is empowered under section 70B (6) of the IT Act, 2000 to give directions to service providers, intermediaries, data centres, body corporate, and any other person for carrying out the following functions listed in section 70B (4):
- Collection, analysis, and dissemination of information on cyber incidents
- Forecast and alerts of cybersecurity incidents
- Emergency measures for handling cybersecurity incidents
- Coordination of cyber incidents response activities
- Issue guidelines, advisories, vulnerability notes, and whitepapers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents
- Such other functions relating to cybersecurity as may be prescribed
- IT Rules 2013: The IT (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013, which were issued under provisions of section 87 and section 70B (5) of the IT Act, specifies the manner in which CERT-In will perform its functions and duties. These rules allow CERT-In to seek information from companies in order to carry out its duties.
On what legal grounds can the cybersecurity directive be challenged?
1. Violating the right to privacy of citizens
- Goes against the very use of VPNs: “There’s a reason why people use VPN: that’s to ensure that their privacy rights are protected. But if even that is going to be logged then it’s definitely an issue. So I think this would be a major ground where these rules are challenged,” Prasanth Sugathan, legal director at Software Freedom Law Centre (SFLC.in) told MediaNama. “Given that VPNs usually encrypt and shield users’ identities by replacing their device IP addresses with a temporary one hosted on a remote server, the Directive may be called out to be in direct conflict with the main function of VPNs,” Rishi Anand, Partner at DSK Legal, added.
- Right to freedom of speech includes the right to communicate privately: “Right to privacy guaranteed under Article 21 of the Constitution of India, and right to freedom of speech and expression enshrined in Article 19(1)(a) of the Constitution of India, which would include the right to communicate privately, are the fundamental rights that may be relied on for building a case against the Directions by those seeking to challenge the Directions,” Amay Jain, Senior Associate at Victoriam Legalis, said.
- Won’t satisfy the Puttuswamy test: “Under the constitutional scheme, the Directive may have to withstand the test of legality, legitimate aim, and proportionality vis-a-vis privacy norms set forth by the Indian courts,” Anand stated. “As per the proportionality parameter, the restriction to be put in place by any such Direction shall be the least restrictive alternative. In the instant case, it can be argued that the least restrictive alternative would be to seek information on a case-to-case basis rather than on a real-time basis as envisaged under the Directions,” Jain said. Additionally, the CERT-In directive is not the least restrictive alternative as the information that is required to be stored is wide-reaching and not purposes specific to cyber security incidents that take place, SFLC stated in a blog post.
- Absolute right to privacy does not exist: “Supreme Court has already declared your right to privacy is a fundamental right. It’s enforceable against state action, but at the same time, if there’s going to be a conflict between national interest and privacy, then those competing interests will have to be balanced with supremacy being given to national interest. So if people are having an expectation that they have an absolute right to privacy, that may not necessarily exist,” cybersecurity lawyer Pavan Duggal said.
- Privacy arguments might not hold much water: “Even now, when Supreme Court has said the fundamental right to privacy as part of the fundamental right to life under Article 21 of the Constitution. Article 21 only says that no person shall be deprived of his life or personal liberty except in accordance with the procedure established by law. So there’s a procedure established by law, then you can be deprived of your life, liberty, and privacy. In this case, the procedure established by law has been established under section 70B of the IT Act. And therefore, any challenge to these directions on the ground of violation of privacy may not hold much water,” Duggal explained.
- Might go against international laws: “CERT-In’s Directive is not as per global standards as international VPN service providers which are governed by laws of any particular country may not mandate them for storage of information and hence the CERT-IN directive is clearly against the global standards, Utsav Trivedi, Partner at TAS Law, pointed out.
2. Going beyond the scope of the parent legislation
- Broad ambit: “Just because they have certain powers to issue directions, it doesn’t mean they can come out with directions which are very broad,” Sugathan opined. “For example, mandating the KYC norms for VPN service providers is an exercise that could potentially be challenged because when one looks at the powers under which the directions can be issued under section 70B(4), these are various powers of giving guidelines, advisories, vulnerability notes, white papers relating to information security practices, procedures, prevention, response of cybercrime. So it could potentially be argued that some portions of the directions are beyond the scope of 70B(4), but ultimately the matter will have to be just decided by a court,” Duggal said. “I don’t think the Government of India has the powers to force you to log without a law. […] Right now these directions don’t have the backing of a parent act from the way I see it,” independent researcher Srinivas Kodali said at a discussion on this topic.
- Trying to fill a policy vacuum, but this is not the best approach: “The directions are potentially aware of the fact that India lacks a dedicated law on cybersecurity, unlike other countries like Singapore, China, Vietnam, and Australia. So having understood the fact that India lacks a law on cybersecurity, these directions have sought to fill in the policy vacuum that’s currently existing. We did introduce the definition of cybersecurity under section 2 of the IT Act and we gave some cosmetic provisions on cybersecurity. But barring that there’s nothing on cybersecurity under the law. The national cybersecurity policy of 2013 has been a mere paper tiger, it’s never been implemented. So they’re trying to address this policy vacuum through secondary legislation. This is not the best approach, the best approach would have been if parliament would have come up with a dedicated law on cyber security,” Duggal remarked.
- Only a few parts of the law can be challenged, not all: “I don’t think you can say that all of these directions are bad and I want all of them gone. Some of them can be taken away completely, like the VPN parts can be taken away for good. With logging what is likely going to happen is more clarity, time frame and the cost. That is something that the industry is going to negotiate. They can’t say no to logging entirely. If you look at the Aadhaar judgement, the idea of controlling and regulating metadata and allowing governments to have metadata for a period of 180 days is going to influence any legal challenge. Now, I don’t know if there is any good ground to challenge direction four (logging requirements),” Kodali said.
- CERT-In in other countries has limited functions: “If you look at CERT in India, this is often quite different from what is there in other countries. In other countries, they mostly help address cybersecurity incidents or raise awareness about any malware and things like that. They do not do anything related to enforcement. But the kind of functions laid out for CERT-In in the IT Act goes beyond what we see in other countries. This may not be a legal round as such but a legal ground will be with respect to the power to come out with such a direction,” Sugathan explained.
- The stated aim of directive vs what parent legalisation permits: “A case may be made out on the ground that the said Directions are ultra vires the powers and jurisdiction provided under its parent Act/parent Rules. The basis of this contention can be found in the notion that the preamble of the said Directions states that the Directions are being issued in the interest of “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence” whereas the powers and jurisdiction of CERT-In are limited to cyber security incidents. However, a counter-argument can be made by way of establishing a nexus between cyber security incidents and “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence” which may or may not be far fetched subject to interpretation and applicability of diverse perspectives,” Amay Jain said.
- Wide powers granted by parent act: “An argument can be made by CERT-In that they have not gone beyond scope of the 2013 rules. This is only because the scope of powers conferred to CERT-In by MeitY is so wide that they can be set to cover almost any action that CERT-In undertakes,” Prateek Waghre, Policy Director at Internet Freedom Foundation (IFF), said.
- Excluding corporate VPNs might have warded off some challenges: In a FAQs document on the directive, the government clarified that corporate and enterprise VPNs are not subject to the requirements of the directive. This “allayed the fears & concerns of numerous corporations who rely on site-to-site VPNs to provide their employees secure end-to-end encryption to access the corporate network, both on-premises and on the cloud,” Pratyush Miglani, Managing Partner at Miglani Verma and Co said. “Would the government not have carved out this distinction, corporations could have assailed the validity of the directions citing distinct requirements that may not have any nexus with the directions.”
3. Violation of the right to conduct business in India
Article 19(1)(g) of the Constitution grants the right to practise any profession or to carry on any occupation, trade or business, but these rules affect this right, Prateek Waghre pointed out. “So the right to conduct business as such in India because of the kind of restrictions that the directions are placing, whether that’s reasonable or not, could also be a question and ground for legal challenge,” Prasanth Sugathan said. For example, Surfshark VPN has said that logging and collecting KYC information goes against its business policies and technical capabilities.
4. Everywhere in the world CERT-IN job is to be a firefighter not make rules to make business difficult.5. The heavy compliance and restriction imposed by the CERT-In direction fails the proportionality test laid down by the Supreme Court under Puttaswamy II.
— Asha Jadeja Motwani ???? (@ashajadeja325) May 20, 2022
4. Goes against principles of the Data Protection Bill
This ground for challenge does not exist currently because India does not have a data protection law, but “interestingly and speculatively,” if the Personal Data Protection Bill 2019 had been enacted into legislation, then the CERT-In directive’s requirement to store certain data for a period of five years would have been in contradiction with the data minimisation principles of the data protection law, Amay Jain said. “The fundamental right to privacy as enshrined in under Puttaswamy II also envisions purpose limitation of data. Storing this data for a period of 5 years will disregard the principle of purpose limitation as well,” SLFC noted. The 6-hour timeline to report cybersecurity is also scant compared to the 72 hours deadline proposed in the Bill for personal data breaches.
How will compliance with the CERT directive work with respect to other regulators?
- Might not be any interplay: “Compliances set forth under the new CERT Directive may not involve inter play of any other regulator per se, since the aspects relating to cyber security and cyber incidents are regulated in terms of the IT Act, and CERT is the nodal agency to perform functions pertaining to the same,” Rishi Anand said.
- Different sectors have their own complexities: “You can have an overarching structure, but different sectors have their own complexities. I think especially in areas like banking, stock exchange, et cetera, the sectoral regulator will have a major role to play there. So they will have to decide maybe the kind of encryption that has to be used, for example, RBI specifies that for banking transactions, SEBI specifies that for share transactions. So those areas, I would say the sector regulators will be in a better position to come out with specific directions and regulations,” Prasanth Sugathan said.
Who is legally liable for non-compliance?
- Cannot just be top leaders: “When it comes to corporates, it’s very difficult to pinpoint someone. There are a lot of previous judgments on that front. Only if you have a person who has a duty to do something and he doesn’t do it, then he can be liable. For example, you cannot make the managing director liable because he may not be the person who is directly responsible for an act,” Prasanth Sugathan said. “So when the entire intermediary liability question came in the Avnish Bajaj case. If you look at it, then you didn’t have the Section 79 safe harbor provision, but finally, he was let out mainly because I think the company was not made a party, and the argument was that he cannot be held liable for an action. So just because there was maybe even a mistake on the part of the company, the MD could not be held liable,” Sugathan gave as an example.
- Cannot have a single person responsible as in IT Rules, 2021: The IT Rules, 2021 requires significant social media intermediaries to appoint a Chief Compliance Officer. This officer can be held legally liable for non-compliance according to the Rules. But that sort of provision cannot be included in a directive, Sugathan said.
Why cybersecurity directions instead of rules or amendments?
- CERT doesn’t have power to issue rules: “Section 70B(6) gives a discretion to the CERT-In to give directions. It has not been given the power to come up with rules and regulations. And that’s the reason why these kinds of directions have been issued,” Pavan Duggal said. “For rules, there are various rulemaking powers given in Section 87, which list down the various areas in which the government can come out with the rules,” Prasanth Sugathan explained.
- Skips parliamentary scrutiny: “By not issuing these requirements as rules and instead as directions by CERT-IN, there is currently no requirement for these directions to be discussed by parliament,” Prateek Waghre said. ” Had these directions been issued as rules by MEITY, they would have been required to be placed on the floor of both houses of the parliament as required by Section 87(3) of the IT ACT.”
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Fact Check: Do Other Countries Have Lesser Than 6 Hours To Report Cybersecurity Incidents
- Why India’s New Cybersecurity Directive Is A Bad Joke
- FAQs On Cybersecurity Directive Adds Fresh Concerns
- India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue
- VPN Providers Undeterred By Minister’s Ultimatum To Comply Or Leave India
Have something to add? Subscribe to MediaNama here and post your comment.