Executive summary

India continues to deliberate on a comprehensive data protection law. A Parliament panel examining the proposed legislation submitted its report in December 2021, paving the way for the Indian government to finalise the law and table it before Parliament. The proposed law governs how personal data can be collected, used, and shared to safeguard individual privacy. It calls for, among others, the local storage of certain types of data. Through such localisation mandates, the Indian government seeks to address challenges faced by law enforcement agencies (LEAs) in accessing data, stored by US service providers, that could assist in criminal investigations.

Meanwhile, the United States (US) Clarifying Lawful Overseas Use of Data Act or CLOUD Act offers an alternative approach to the same challenge. Enacted in 2018, the CLOUD Act provides an avenue for foreign law enforcement agencies to access evidence directly from US service providers in case of investigation of “serious crimes”, through an executive agreement drawn up by the two countries for the purpose. To enter such an agreement with the US, a foreign country must meet certain procedural and substantive requirements, including having protections against surveillance and safeguards against unbridled government access to data. It also requires the partner country to show a commitment to an open and interconnected Internet, and to free flows of data across borders.

The United Kingdom (UK) was the first country to have entered into a CLOUD Act agreement with the US, in 2019. The negotiations between the two countries offer insights into how the US government is likely to interpret a foreign country’s relevant laws, as well as lessons on potential obstacles to such an executive agreement. For instance, while examining the UK’s legal regime, the US government scrutinised the obligations of UK authorities to meet purpose limitation, data minimisation, and other privacy principles enshrined in the EU General Data Protection Regulation (which was still applicable to the UK at the time). The US also evaluated the UK’s independent oversight mechanism over interception warrants, through the ‘Investigatory Powers Commissioner’ and ‘Judicial Commissioners’ appointed for oversight. While UK law does not require judicial authorisation of every law enforcement request, the US found its mechanism of oversight through Judicial Commissioners to be sufficient. At the same time, to be able to enter into the agreement, the UK government also passed the UK Crime (Overseas Production Orders) Act 2019 (COPOA) that enables certain UK LEAs to apply for a UK court order with extra-territorial effect, compelling the production of electronic data stored outside the UK.

When assessed against CLOUD Act standards, India’s existing data access laws may meet the mark in certain respects, but require additional protections on some fronts. As India finalises its data protection law, this report offers four key lessons from the US-UK negotiations under the US’s CLOUD Act, evaluates existing Indian data access and surveillance laws, and ponders the proposed data protection law.

First, the UK-US negotiations showed that an overhaul of the foreign country’s laws may not always be required to enter into an executive agreement with the US. The UK, instead of amending its entire set of laws, enacted the COPOA to give effect to the US-UK agreement and make direct requests to US service providers. Through the new law, the UK proposed the requirement of prior judicial oversight, for the sub-set of LEA requests to be made directly to US service providers. Similarly, given the difference in the US’s and UK’s approaches to free speech, the agreement provides for a review mechanism that will add another layer of evaluation for cases involving free speech offences, before requests can be made for evidence.

Second, in the substantive assessment of laws, the US government may adopt a more lenient approach. For instance, while the UK Investigatory Powers Act does not require prior judicial authorisation for issuing interception warrants, the US Attorney General found the UK to have sufficiently clear mandates for access and oversight, through the review mechanism offered by the Investigatory Powers Commission and the Judicial Commissioners. However, for the sub-set of requests made under the US-UK agreement, a prior court order was presumably necessary – which is reflected in COPOA.

Third, India’s upcoming data protection law could introduce protections that will bolster the country’s case that it has robust protections for privacy and clear mandates for government access and oversight. For instance, positioning the data protection regulator as an additional layer of oversight over LEA requests, and requiring LEAs to abide by certain minimum privacy norms (such as data minimisation, purpose and retention limitations). In its current form, though, the draft law may only make it more difficult to explore a future CLOUD Act agreement as the US could view the wide exemptions to government agencies as disproportionate.

Finally, existing and proposed requirements for local storage of data in India could pose obstacles to a CLOUD Act agreement. However, given that the proposed law largely requires ‘mirroring’ rather than a hardline view on exclusive local data storage, there may still be room for negotiation in this regard.

Introduction

LAW ENFORCEMENT AGENCIES (LEAs) IN INDIA often face challenges in accessing information, stored by US service providers, that could be used in criminal investigations.^[1] This experience is not unique to India, as US laws bar service providers from directly sharing communications content with foreign law enforcement agencies.^[2] To access such evidence, LEAs, whether of India or of other countries, must use the framework of a mutual legal assistance treaty (MLAT)— a process that is generally described as long-drawn and cumbersome.

To enable foreign LEAs to access evidence from US service providers, the US enacted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in 2018. Among others, this law allows qualifying foreign governments to enter into bilateral agreements that will grant them direct access to communications content held by US service providers. To be eligible for such an agreement, the foreign government must meet the requirements laid out under the CLOUD Act. (The requirements are discussed in Section II of this report.)

So far, India has not pursued a CLOUD Act agreement with the US government. One reason could be the notion that Indian laws may not be able to meet the requirements set out under the CLOUD Act. For instance, the Fourth Amendment guarantee in the US Constitution requires LEAs to obtain a ‘probable cause’ warrant before they can conduct ‘searches’ related to a criminal investigation. This means that each law enforcement request is vetted by a court. In contrast, Indian criminal laws do not require prior judicial approval for LEA requests. Any police officer conducting a criminal investigation can seek the production of any document simply by issuing a written order.^[3] When the CLOUD Act was enacted, early commentary by Indian analysts suggested that this US standard of prior judicial approval (along with other substantive and procedural requirements) could be a cause of tension^[4] and require India to amend existing laws to be eligible for an executive agreement.

Instead of pursuing bilateral arrangements, the Indian government sought to address the challenge of LEA access to evidence through local storage proposals. In the government’s view, if data were to be stored within India, LEAs will be able to get access to it easily. Critics argue, however, that data localisation can create technical inefficiencies,^[5] risk creating walled Internets, affect trade,^[6] and raise rather than minimise security risks.^[7] These observers also note that local storage of data will not remove the ‘bar’ under US law that restricts service providers from sharing evidence with foreign LEAs.^[8] They propose instead that India strengthen other channels of data-sharing.

In 2019, one of the authors of this paper co-authored a report that explored India-US data-sharing for law enforcement.^[9] The report highlighted bilateral and multilateral mechanisms for data-sharing and suggested the potential building blocks of an India-US CLOUD Act executive agreement. At the time of writing the 2019 report, there was limited guidance on how the US government would assess foreign governments against the CLOUD Act requirements. Since then, the US has concluded an agreement with the UK government (in 2019), and an agreement with the Australian government was also signed in December 2021.^[10] The negotiations and the US Attorney General’s assessment of UK’s and Australia’s laws offer useful guidance on interpreting the CLOUD Act requirements. This report focuses on the US’s evaluation of UK laws.

The rest of this report is structured as follows. Following this Introduction, Section II describes the requirements of CLOUD Act. Section III then describes how UK laws fared in the US government’s assessment on certain key parameters of the CLOUD Act. Section IV outlines the key surveillance laws in India, and tests them against the CLOUD Act standards. The fifth section discusses the Personal Data Protection Bill 2019 (PDP Bill) (now suggested to be renamed as the Data Protection Bill 2021), and ponders whether the law would make it easier for India to seek an executive agreement under the CLOUD Act. The report concludes with four key lessons for India when considering the possibility of an India-US CLOUD Act executive agreement.

While this report focuses on the CLOUD Act and how India fares on its requirements, similar conversations are taking place in other jurisdictions as well. Specifically, domestic surveillance laws are receiving increasing attention in discourses around international data transfers. In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield since US law did not have enough protections for non-US citizens against surveillance. This has triggered the need to evaluate local surveillance laws for continued data transfers from the EU to other countries, including India.^[1] Ironically, while the CJEU found US surveillance law to be inadequate, there are common themes between the CJEU’s decision and the US CLOUD Act requirements, among them, oversight and clear rules for surveillance.

Read the entire report here.

---

About the Authors

Sreenidhi Srinivasan is a Principal Associate and Lead – Data, and Osho Chhel is an Associate at Ikigai Law.

This report has been developed with support from the Cross-Border Data Forum.

The authors thank Ashish Agarwal, DeBrae Kennedy-Mayo, and Peter Swire for their comments and suggestions on the report, and Shrinidhi Rao (Associate, Ikigai Law) and Aditya Vats (former intern) for their research assistance.

---

^[1] Implications of Schrems II on EU-India Data Transfers, August 21, 2022.

^[1] See comments from government officials: Neha Alawadhi, “CBI & FBI join hands to reduce time required to fulfil requests on information and evidence”, Economic Times, December 07, 2015.

^[2] The US Electronic Communications Privacy Act, 1986 § 2512.

^[3] The Indian Criminal Procedure Code 1973 § 91.

^[4] See for e.g., E. Hickok et al, “An Analysis of the CLOUD Act and Implications for India,” Centre for Internet and Society, pg. 17-18,  August 22, 2018.

^[5] Erik van der Marel, Hosuk Lee-Makiyama, Matthias Bauer, The Costs of Data Localization: Friendly Fire on Economic Recovery, European Centre for International Political Economy, Occasional Paper No. 3/2014, 2014.

^[6] Anupam Chander and Uyen P. Le, “Breaking the Web: Data Localization vs. the Global Internet,” UC Davis Legal Studies Research Paper Series, Research Paper No. 378, (2014).

^[7] See Kalika Likhi, India’s data localization efforts could do more harm than good, Atlantic Council, 2019.

^[8]Madhulika Srikumar, comment on “Data localization is no solution,” Observer Research Foundation, comment posted on August 3, 2018.

^[9] Madhulika Srikumar, Sreenidhi Srinivasan, DeBrae Kennedy-Mayo and Peter Swire, India-US Data Sharing for Law Enforcement, Blueprint for Reforms, Observer Research Foundation, 2019.

^[10] The United States Department of Justice.

• International Affairs
• Privacy & Data Protection
• India
• USA and Canada
• India
• International affairs
• STRATEGIC STUDIES

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.