ISSN (Print) - 0012-9976 | ISSN (Online) - 2349-8846

A+| A| A-

Virtual Private Networks and the Right to Privacy


Recently, the Indian Computer Emergency Response Team (CERT-In) issued directions under Section 70B of the Information Technology Act, 2000. One of the contentious directions is that virtual private network (VPN) service providers would be required to register and maintain information about their customers for a period of five years or more. The information includes validated names of customers hiring VPN services, internet protocol (IP) addresses allotted to or being used, the email addresses, IP addresses and time stamp while registration, validated addresses and contact numbers, the period and purpose of hiring services, etc. These directions affect internet users’ privacy and anonymity.

VPN is a technology that helps internet users mask their IP addresses to establish secure and encrypted connections. An IP address is a unique address identifying devices connecting to the internet and assigned to the devices by the internet service provider (ISP). VPN is generally used by people to protect their privacy on public WiFi networks, to browse the web anonymously, and to communicate more securely. It helps one hide their internet search activity from their ISP.

The use of VPNs by internet users is a measure protecting privacy and anonymity. Privacy has been recognised as a fundamental right by the Supreme Court of India as part of the right to life and personal liberty under Article 21 of the Constitution. The Supreme Court has also stated the importance of online anonymity by referring to the decision of R v Spencer of the Supreme Court of Canada in the landmark K S Puttaswamy judgment. The Supreme Court of Canada recognised in R v Spencer that the request by the police from an ISP of subscriber information belonging to an IP address infringes the guarantee against unreasonable search and seizure. The Supreme Court of Canada stated that “anonymous Internet activity engages a high level of informational privacy.” Thus, subscriber information relating to an IP address may be protected under the right to privacy.

In addition to privacy, there is also the data protection perspective to IP addresses. The General Data Protection Regulation, which is the global standard on data protection, has recognised in Recital 30 that IP addresses are online identifiers. These, when associated with a person and combined with other information, may be used to create profiles of the person and identify them. The Court of Justice of the European Union (CJEU) has held in the case of C-70/10 Scarlet Extended SA that IP addresses help users to be precisely identified. Thus, IP addresses constitute personal data as they are data about an identified or identifiable natural person. As IP addresses are personal data, the various provisions of data protection legislation apply. The data protection legislation applies to the processing of personal data. The CJEU held in the case C-582/14 Breyer that even dynamic IP addresses (changing IP address with each internet connection) constitute personal data because it is possible for media service providers to combine IP addresses with additional information held by ISPs by means reasonably likely to be used to identify a person. Thus, both static and dynamic IP addresses constitute personal data and would be protected under data protection legislations.

While privacy and data protection laws protect individuals with respect to their IP addresses, law enforcement has a different perspective. There is the legitimate aim of preventing cybercrime and maintaining cybersecurity. Moreover, using a VPN must not become a licence to commit illegal activities because one’s identity would be hidden. While law enforcement has a legitimate aim in maintaining cybersecurity, VPN users have the legitimate concern that their online activity could be monitored and surveilled by the government through the CERT-In directive in question.

Thus, there is a need to balance the privacy and data protection rights of internet users relating to their IP addresses with the law enforcement’s
legitimate aim of accessing subscriber information relating to VPN for curbing cybercrime. The test of proportionality and necessity should guide the storage and access of data about VPN subscribers. Safeguards need to be ensured so that measures of maintaining and accessing data about VPN users do not become a means of surveillance of internet users’ online activity.

Paarth Naithani



Dear Reader,

To continue reading, become a subscriber.

Explore our attractive subscription offers.

Click here

Updated On : 4th Jun, 2022
Back to Top