A Balancing Act
By Ashit Kumar Srivastava and Rishabh Shukla
Recently, Computer Emergency Response Team-India (CERT-In) came up with new directions for data centres, virtual private network (VPN) service providers, cloud service providers and intermediaries to create log and provide information about customers. This includes their email address, IP address, phone numbers and the purpose for hiring VPN services. This information has to be held for five years after their cancellation or withdrawal of membership or subscription.
All the entities also need to report any cyber security incident to CERT-In within six hours of it coming to their knowledge or being informed of it. Crypto exchange and wallet service providers are required to maintain KYC details of their users. Additionally, information about financial transactions about the user needs to be stored for five years. It should have elements that can lead to restructuring of the transaction and the relevant party to the transactions can be traced, as well as their IP address located.
These directions come in wake of CERT-In finding glaring gaps in the cyber security mechanism. The fact that VPN service providers have been asked to share information about their customers comes as a revelation, knowing that the USP of these services lies in their anonymity. However, if the anonymity features come under threat, then it can lead to trust-deficit.
However, there are larger jurisprudential questions lurking behind this issue. The prime question pertains to the direction given by CERT-In. Informational privacy is an elemental part of privacy rights in India (after the onslaught of KS Puttaswamy-I). Thus, any action of any nodal agency in name of state security or more particularly cyber security needs to meet the standards of privacy rights (a three-pronged test of Existence of Law, Legitimate State Interest & Proportionality).
Proportionality itself demands choosing the least intrusive means possible for achieving the objective. So, the questions that will come to haunt future government directions are:—
- What kind of social evil it is trying to submerge
- Were the means adopted for doing so the least intrusive one?
Interestingly, the prime authority to deal with questions of data privacy/ data protection is the Data Protection Authority. However, India still has not been able to contrive such a body within its framework.
CERT-In, on the other hand, is a national body contrived for the purpose of ensuring cyber security framework within India. CERT-In, in order to ensure a more sound cyber security framework, may flay more rules which by default might be infringing on the tenets of privacy rights. However, as there is no Data Protection Authority, there will be no appropriate counter to the directions of CERT-In, even when they know that some actions might be blatantly or patently violative of privacy or informational privacy.
Optimal utilisation of fundamental rights is the essence of our Constitution and thus, any action of a government agency which is arbitrary should be subject to careful scrutiny. There should have been institutional contemplation between the Data Protection Authority and CERT-In in order to lay the direction which CERT-In could have issued without impeding upon the dignity of data. The lack of an institutional body in the form of the Data Protection Authority tilts the decision making power completely in favour of CERT-In.
However, this should not stop us from questioning the directions of CERT-In regarding data privacy. The prime challenge which will be there against these directions would be from the limitation perspective. The fact that CERT-In has directed storage of the data for five years goes against the settled principle of purpose limitation. Every information which is shared by an individual is shared for a particular purpose and for a particular time period. Once that purpose has been fulfilled, the information needs to be removed. So, once the individual has de-subscribed or withdrawn membership from an intermediary, it is the responsibility of the intermediary to remove that information.
However, this rule may be relaxed if it can be shown that there is a legitimate purpose for which information needs to be retained. A reference to this can be seen in Section 9 (2) of the Personal Data Protection Bill, 2019. Under this, the information may be retained for a period beyond the purpose for which it was given if there is consent of the data principal or for necessary compilation with an obligation under any law in force.
Though these rights are not legally recognised rights within the Indian framework, they are internationally followed standards for the purpose of data protection. In the absence of data protection jurisprudence, issues of individual rights are being submerged within community interest. The correct approach to tackle these questions of data privacy vis-a-vis national security should be at the institutional level wherein the authorities decide the contours of rights.
CERT-In as a national nodal agency for the protection of cyber security framework has wide powers under Section 70B of the Information Technology Act, 2000. However, bestowing of power per se cannot be a reason for calling the provision unconstitutional. Rather, its specific exercises will be subject to judicial scrutiny to see whether the direction issued is within the contours of constitutional guarantee.
—Ashit Kumar Srivastava is Assistant Professor of Law, NLU, Jabalpur and Rishabh Shukla is pursuing LLM at NLU, Jabalpur