This report—through interviews with a multitude of stakeholders, including Indian law enforcement, global communication service providers, current and former government officials, and civil society groups, sets out the law and procedure of cross-border law enforcement access to data between India and United States. The report exhaustively outlines the cooperation between the two states in information sharing for law enforcement purposes and the challenges therein. The authors evaluate the existing bilateral channels for data sharing and the potential for the two countries to enter into a new Executive Agreement to streamline access to communications content.

Indian law enforcement has for years been setting off alarm bells about the challenges of legitimate cross-border access to data. With popular device manufacturers and social media platforms incorporated in the United States, foreign law enforcement requests, must meet the requirements under US law to gain access to electronic data during investigations. When investigating routine crimes with a cyber element or crimes online, police officials are forced to rely on a long and arduous bilateral process with the US government to obtain electronic evidence from US communication providers. After many years, 2018 finally saw the executive take decisive steps towards addressing the issue.

Three big developments over the past year are at the centre of this policy shift and have contributed to the mainstreaming of the issue. First, the spread of false news on WhatsApp that instigated lynch mobs and resulted in 27 reported deaths, drove home the sobering reality of Indian law enforcement’s inability to access the origins of messages sent over an encrypted medium.^[1] Where data is strongly encrypted, a wiretap does not provide any police access to the content.^[2] This episode further highlighted the urgency of creating reliable channels for information-sharing between foreign service providers and local investigating agencies. Second, the controversy surrounding Paytm’s practices (a popular mobile wallet in the country) on allegedly disclosing user data to the government without following due process, brought not just company practices into focus but also underscored deeper problems with the existing law.^[3] Law enforcement in India, when requesting user data from online intermediaries or social media companies, relies on the longstanding framework under the Code of Criminal Procedure, 1973 (CrPC), which does not mandate judicial authorisation for data requests.

And finally, calls for data localisation, i.e. mandating companies to store data locally to legally operate in the country, manifested in a variety of regulations and policies introduced by different arms of the government in the past year.^[4] Notably, the committee established by the government to frame India’s first data protection law, headed by former Supreme Court judge B.N. Srikrishna, imposed a requirement on all data fiduciaries to store data in the country either exclusively or in the form of mirror servers.^[5] The primary concern cited by the Committee for this policy shift was to ease law enforcement efforts to access information required for criminal investigations and evidence-gathering for prosecutions.^[6] The recently published draft amendments to the Information Technology Act [Intermediary Guidelines (Amendment) Rules, 2018] by the Ministry of Electronics and Information Technology (MeitY) further reveal the government’s intent to introduce strong legislation aimed at regulating online intermediaries and assisting law enforcement, even at the cost of potentially compromising encryption.^[7]

These developments firmly indicate that reforms are deeply necessary in law enforcement access to data to ease extant conflicts of laws, institute privacy-protecting safeguards, and discourage further fragmented policy approaches through data localisation.

Currently, the Electronics Communications Privacy Act (ECPA) bars US-based service providers from disclosing electronic communications to any law enforcement entity—US or non US—unless requirements under US law are met. The request for user data from Indian law enforcement, therefore, needs to meet the US legal standard that there is “probable cause” that a crime has occurred and that contraband or evidence of the crime will be found by during the search. These US legal requirements apply even though the crime has occurred outside the US, the victim and suspect are not US persons, and the electronic evidence is being requested by foreign law enforcement. Under existing law, Indian law enforcement place relis on a bilateral mechanism through the India-US Mutual Legal Assistance Treaty (MLAT) to transmit requests for user data.

This process has often been criticised for being outdated and time consuming and by some estimates from Indian sources takes as long as three years and four months on average to complete.^[8] On the other hand, direct requests to companies for basic subscriber information (BSI) and transactional data are not barred by ECPA, although in practice there is inconsistent access, potentially harming law enforcement and users’ interests.

The recently passed US Cloud Act (Clarifying Lawful Overseas Use of Data Act) for the first time enables foreign law enforcement to request electronic content directly from US service providers under an Executive Agreement with the US government. As part of the Executive Agreement, the foreign country must ensure adequate levels of procedural protections for crimes covered under the Agreement. The Cloud Act provides a much-needed framework to ease cross-border access to data, not only speeding up any future process but safeguarding user privacy, and alleviating existing concerns around lacking capacity. Such a direct-data sharing regime under an Executive Agreement will, therefore, not only address law enforcement concerns but also strengthen the overall case against mandatory data localisation.

Data localisation, while often touted as a solution to law enforcement’s data needs, will not bring about any increased compliance on the part of companies when responding to requests fromlaw enforcement. ECPA still effectively bars US companies from disclosing user data to foreign law enforcement in the absence of American legal standards being met. Therefore, regardless of where the data is located, US service providers are still be bound by US laws. However, a data sharing agreement under the US Cloud Act will shift the locus to the domestic law of the requesting country, and compliance with the Executive Agreement, thereby ensuring that US companies respond to legally valid requests for content.

The Cloud Act presents an opportunity to not only resolve conflicts of law but also harmonise enforcement regimes across jurisdictions, not limited to India and the United States alone. The European Commission’s E-evidence proposal puts forth a similar model where judicial authorities in one Member State can obtain evidence directly from service providers located in other Member States.^[9] This model is of special significance to India where law enforcement comes up short while handling crimes involving transnational elements such as online radicalisation and cyber-crime. These crimes often involve accounts and individuals spread out across the globe and therefore merely localising data belonging to Indian citizens will not aid law enforcement investigations.

Finally, for any law enforcement request to be eligible under the Cloud Act Executive Agreement, they will need to adhere to privacy protecting safeguards – such as being specific about the information sought, being based on “articulatable and credible facts,” and being subject to independent oversight. This model will ensure that requests are bound by a higher threshold of privacy and due process than they currently are.

Under existing law, requests are either directly issued by law enforcement officers^[10] or in cases of interception are authorised by and subject to executive review. In the aftermath of the Supreme Court’s judgment in Puttuswamy, however, some of these provisions may stand to be revised.^[11] For instance, the executive authorisation for interception that, which does not allow for any inter-branch oversight, may not meet the “necessary and proportionate” test for imposing restrictions on privacy. India must therefore necessarily move towards a judicial sanction model for requesting communications data to qualify for an Executive Agreement with the US under the Cloud Act, as well as to meet European law standards.

This paper proposes two mechanisms that together can help India qualify for this Executive Agreement. First, for individual data requests, the paper proposes resorting to existing provisions under the CrPC that allow judicial authorisation. And second, to build institutional safeguards, including for data collection and processing, ‘qualified entities’ should be established that are specifically tasked with handling sensitive data obtained for law enforcement processes. This paper builds on prior research conducted by the Cross-Border Requests for Data Project of the Georgia Tech Institute for Information Security & Privacy^[12] and the Observer Research Foundation’s Cyber Initiative. It does not delve extensively into the substantive and procedural failings of the MLAT process. Instead, it dissects existing laws in India and the US that have a bearing on the legitimate rights of law enforcement to access communications data. The paper explores the institutional and legal changes necessary for a direct-data sharing agreement between India and the US that can address not just immediate law enforcement concerns but also potentially act as a primer for harmonisation of data-sharing regimes worldwide.

---

^[1] Timothy Mclaughlin, “How Whatsapp Fuels Fake News And Violence In India”, Wired (Dec. 12, 2018).

^[2] Peter Swire, “From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud”, 2 International Data Privacy Law 200 (2012), SSRN.

^[3] Madhulika Srikumar, “This Isn’t Just About Paytm – Laws on Government Access to Data Need to Change”, The Wire (May. 28, 2018).

^[4] Payments: The Reserve Bank of India (RBI) issued a notification requiring all “payment system providers” to store all payments data only in India. Payment system providers includes a wide spectrum of actors including international card networks such as MasterCard, and even operators of pre-paid wallets such as Google Pay and WhatsApp payments. Reserve Bank of India Notifications, “Storage of Payment Systems Data”, (Apr. 6, 2018).

Privacy: The draft Personal Data Protection Bill, 2018 places restrictions on cross-border transfer of data requiring every data fiduciary to store a mirror-copy in the country with collectors of “critical personal data” required to process data only in servers located in India. Personal Data Protection Bill, 2018.

E-commerce: Leaked copy of the draft national e-commerce policy indicates imposing mandatory data localisation requirements on all e-commerce platforms including social media and search engines to store “data generated by users in India” locally. The policy also indicates potentially incentivising players to store data in India through tax waivers. Electronic Commerce in India: Draft National Policy Framework.

Cloud: Proposed national cloud policy is likely to recommend localisation of cloud data generated in India. Currently, the Ministry of Electronics and Information Technology (MeitY) requires all government departments using cloud services (from empanelled providers) to ensure that all data is stored within the country. Aditya Kalra, “Exclusive: India panel wants localisation of cloud storage data in possible blow to big tech firms”, Reuters (Aug. 4, 2018), “MeitY issues guidelines requiring all cloud data storage used by the government to be within the country”, Firstpost, (Jun. 1, 2017).

^[5] Sections 40 and 41, The Personal Data Protection Bill, 2018, categories of personal data identified as critical personal data can only be processed in a server or data centre located in India.

^[6] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”, 27 July 2018.

^[7] Section 5 of the The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 states that, “When required by lawful order, the intermediary shall, within 72 hours of communication, provide such information or assistance as asked for by any government agency or assistance concerning security of the State or cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and matters connected with or incidental thereto. Any such request can be made in writing or through electronic means stating clearly the purpose of seeking such information or any such assistance. The intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.”

^[8] Neha Alwadhi, “CBI & FBI join hands to reduce time required to fulfil requests on information and evidence”, The Economic Times, 7 December 2015.

^[9] Theodore Christakis, “Big Divergence of Opinions on E-Evidence in the EU Council”, Cross-Border Data Forum, 22 October 2018.

^[10] Section 91, The Code of Criminal Procedure, 1973

^[11] K.S. Puttuswamy v. Union of India, 2017 (10) SCALE 1)

^[12] Cross-Border Data Project.

• Cyber Security
• India
• USA and Canada
• India-US

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.