Today’s dismissal by the Indian Supreme Court of a public interest litigation that sought to ban end-to-end encrypted messaging marks another step in the ongoing debates over privacy and encryption in the country. While not an outright victory for encryption — the court simply directed the petitioner to a technical tribunal — it is another reminder that as technology develops, lacunae in Indian policy will be exposed. The spread of end-to-end encrypted messaging services has raised the hackles of those fearing a threat to national security; the same services have been a boon to people who feel that India’s lack of clear data protection or privacy rules is simply unacceptable in the world’s largest democracy. This case may be the one that forces action from the Indian authorities, who may look to international developments in data protection when deciding the best way forward.
The European Union recently finalised two important pieces of legislation: Regulation 2016/679 — the General Data Protection Regulation (GDPR) — and Directive 2016/680. The GDPR is a wide-ranging document which impacts the individual privacy rights of EU citizens as well as the business practices of anyone handling personal data in the EU or attempting to transfer it outside the EU. The directive is closely related to the GDPR, but deals specifically with how law enforcement agencies handle personal data. An important difference between the two documents is that the GDPR will come into force in May 2018 without any further legislation by EU member states. In contrast, the directive requires the legislatures of member states to bring it into effect.
Citizens of the EU already had better protection for their personal data than many others, due to an earlier directive on data protection. However, the GDPR goes further in its efforts to harmonise data protection across the continent, and to “give people more control over their personal data”. The GDPR is also an effort to bring privacy legislation up to date with modern technological developments. Data collection on a massive scale, through social media, online transactions and more is the norm, something which was not anticipated in 1995 when the original directive was created. A particular challenge to data protection and privacy has been the increase in the movement of data as part of how multinational companies do business. The GDPR cuts to the heart of this issue, because it applies even to third parties who in any way handle the personal data of EU citizens (regardless of where they are based) and because it requires additional protective steps if that personal data is to be transferred outside the EU. Crucially, one of the suggested protective steps is the use of encryption to secure personal data.
The GDPR is a positive development for privacy protection, and will add clarity to the ways in which companies can use personal data. Its sister directive on law enforcement, which pushes for greater cooperation between European security agencies, also requires that information sharing be carried out in a way that protects personal data. However, both the GDPR and accompanying directive allow for the national security concerns of member states to override privacy protections; sovereignty considerations have ensured that large swathes of national security issues are outside the scope of European Union law.
The national security exception does not, however, mean that European security agencies will be following the lead of the US in trying to weaken methods by which people protect their data, such as encryption. Speaking at an event on privacy, encryption and anonymity hosted by Europol, the director of the European Union Agency for Network and Information Security (ENISA) came out strongly against creating backdoors to subvert data protection. Noting that cryptographic tools were important not just to protect information but to authenticate legitimate users, he said: “Do not weaken encryption on purpose; do not inhibit the use of tools for data protection and privacy; promote secure IT”. The EU’s Data Protection Supervisor supported this view, saying “backdoors are not the solution to cybersecurity, they would be a new and dangerous part of the problem”. European security seems to favour other methods of law enforcement and crime prevention, which better balance security concerns with individual rights. A joint statement by ENISA and Europol — on lawful criminal investigation that respects 21st century data protection — emphasises that when intercepting communications, “The focus should be on getting access to the communication or information; not on breaking the protection mechanism.”
Despite this harmony of thought among EU agencies, there is still evidence that member states may try to enact their own legislation to get around data protection. Privacy campaigners have also been troubled by a recent agreement between the EU and the USA to facilitate cooperation between law enforcement agencies by sharing information. While the agreement is designed to protect personal information, there have been arguments that it is weaker than European standards, and would thus put European citizens at risk, or at the very least at the mercy of American security agencies. The USA is no stranger to the data protection and security debate, with the battle between the FBI and Apple over encryption exposing a fault line in the tech world. A recently scuttled draft bill, “to require the provision of data in an intelligible format,” to the government indicates that the issue is far from resolved across the Atlantic. The bill sought to place a heavy burden on telecommunications providers and technology manufacturers, forcing them to help the government break encryption mechanisms.
Civil society and privacy activists have been key players in defeating legislation which encroaches on individual rights. Cryptographic tools will continue to be developed and become more complex, as will the methods used by law enforcement agencies to defeat them; encryption is not going anywhere. A clear policy position on encryption is the only way to attempt a balance between individual rights and national security. India made such an attempt last year with the introduction of a draft encryption policy, but factors like its data retention clauses prevented it from gaining any real traction. Millions of Indians rely on cheap hardware for internet access and basic communication, and tools like end-to-end encryption may be the best way to ensure that their data is protected and their privacy respected. The consultation process around net neutrality showed that Indians have an appetite for robust debate on technical topics — so there is no reason to delay policies on privacy and encryption.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.