India Requires Internet Services to Collect and Store Vast Amount of Customer Data, Building a Path to Mass Surveillance

Privacy and online free expression are once again under threat in India, thanks to vaguely worded cybersecurity directions—promulgated by India’s Computer Emergency Response Team (CERT-In) earlier this year—that impose draconian mass surveillance obligations on internet services, threatening privacy and anonymity and weakening security online.

Directions 20(3)/2022 - CERT-In came into effect on June 28th, sixty days after being published without stakeholder consultation. Astonishingly, India’s Minister of State for Electronics and Information Technology (MeitY) Rajeev Chandrasekhar said the government wasn’t required to get public input because the directions have “no effect on citizens.” The Directionsn itself states that they  were needed to help India defend against cybersecurity attacks, protect the security of the state and public order, and prevent offenses involving computers. Chandrasekhar said the agency consulted with entities “who run the relevant infrastructure,” without naming them.

Cybersecurity law and policy directly impact human rights, particularly the right to privacy, freedom of expression, and association. Across the world, national cybersecurity policies have emerged to protect the internet, critical infrastructure, and other technologies against malicious actors. However, overly broad and poorly defined proposals open the door to unintended consequences, leading to human rights abuses, and harming innovation. The Directions enable surveillance and jeopardize the right to privacy in India, raising alarms among human rights and digital rights defenders. A global NGO coalition has called upon CERT-in to withdraw the Directions and initiate a sustained multi-stakeholder consultation with human rights and security experts to strengthen cybersecurity while ensuring robust human rights protections. 

What’s Wrong With  CERT-in Cybersecurity Directions from a Human Rights Perspective?

Forced Data Localization and Electronic Logging Requirements

Direction No IV compels a broad range of service providers (telecom providers, network providers, ISPs, web hosting, cloud service providers, cryptocurrency exchanges, and wallets), internet intermediaries (social media platforms, search engines, and e-commerce platforms), and data centers (both corporate and government), to enable logs of  all their internet and communication technology (ICT) systems–and forces them to keep such data securely within India for 180 days. The Direction is not clear about exactly what systems this applies to, raising concerns about government access to more user data than necessary and compliance with  international personal data privacy principles that call for purpose limitation and data minimization. 

Requiring providers to store data within a country’s borders can exacerbate government surveillance by making access to users’ data easier. This is particularly true in India, which lacks strong legal safeguards and data protection laws