Pune-based virtual private network service provider SnTHostings has filed a suit in the Delhi High Court against the Centre’s directions that made it mandatory for VPN operators to store user data for five years.

The Indian Computer Emergency Response Team (CERT-In) issued the direction earlier this year, after which a number of foreign VPN players exited the Indian market.

SnTHostings said the directions presented an existential crisis for VPN operators as they mandated collection of a range of personal data, which had to be shared with CERT-In on demand and/ or on the occurrence of a cyber-security incident.

“Justice Yashwant Verma of the Delhi HC heard detailed submissions from the counsel and directed CERT-In to provide a response to the petition, stating that the issue requires consideration,” Internet Freedom Foundation said in a blogpost. IFF has provided legal assistance to SnTHostings.

VPNs are a privacy-advancing technology that allow users to anonymously conduct their business on the Internet without being tracked by Internet service providers, government agencies or social media platforms. “Mandating all VPN service providers to collect and log personally identifiable data of their users and provide the data collected to CERT-In on demand will seriously impact the user’s right to privacy,” IFF said.

As a result of these directions, several prominent VPN services such as ExpressVPN, NordVPN and Surfshark, have decided to stop doing business in India and ProtonVPN has classified India as a high-risk country. SnTHostings, a privacy-first VPN service provider, has addressed a representation to MeitY, seeking immediate recall of the directions that were effective June 27, 2022.