Internet subscribers in India consumed an average of 11 gigabytes of wireless data per month as of March 2020. Consumption trends during the coronavirus pandemic are likely to be even higher. As more activities move online and work-from-home continues, so does the State’s interest in controlling this space — data access for law enforcement being one such form of control. As per transparency reports released by Google, Facebook, and Twitter, data requests by Indian law enforcement agencies (LEAs) increased about three-fold between 2016 to 2019, which corresponds with a similarly steep hike in India’s Internet consumption.
Data sharing arrangements are governed by the laws of the country making the inquiry—in this case, India—as well as the country where the business is constituted, or its data is stored. For instance, the United States (US) Stored Communications Act restricts its service providers from sharing the content of users’ communication data with foreign authorities. Data of this nature can, therefore, be obtained only after following the process laid out in the Mutual Legal Assistance Treaty (MLAT) between the two countries.
In a recent working paper, we discussed how the cross-border character of data shapes the ability of LEAs to access user information, the resulting challenges, and emerging domestic and multilateral responses.
Any discussion on personal data access by LEAs in India necessarily requires a reiteration of the Supreme Court’s 2017 Puttaswamy verdict, which declared privacy to be a fundamental right. This means that the State can infringe upon an individual’s informational privacy only in a manner that is fair, just, and reasonable. But three years on, we are yet to see any meaningful reform to bring India’s surveillance regime in line with this ruling. While the draft Personal Data Protection Bill—introduced December last year—takes one step forward by covering all state data processing, it also takes two steps backward through its widely worded exemptions. The Bill enables the complete exclusion of certain government agencies, in addition to broad carve-outs for law enforcement purposes. Better accountability and oversight in India’s surveillance framework is essential for satisfying the constitutional mandate and for signalling preparedness for any future negotiations on cross-border access. The Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield, an agreement that enabled data transfers among certified entities in those jurisdictions, offers a case in point. The expansive powers of US intelligence agencies, and the absence of protections at par with those in the EU, were among the grounds that led to this decision. Agreements for data access by LEAs should attract a similar, if not higher, level of scrutiny.
Also read: Non-personal data rules draft has ‘grey areas’, data privacy bill architect BN Srikrishna says
India’s strategic options
So far, MLATs remain the mainstay of India’s strategy for access to cross-border data for criminal investigations. But there is an emerging consensus that current MLATs are not well equipped to handle the expected speed or volume of data requests, leading to calls for a comprehensive MLAT reform. However, many countries are already staring down an alternate path of bilateral or multilateral arrangements for direct data access. Such arrangements allow LEAs in one country to directly call for data from service providers based in the other jurisdiction, subject to the satisfaction of certain conditions. Three known models of such arrangements are the US-UK agreement—which is in line with the US Clarifying Lawful Overseas Use of Data (CLOUD) Act; the European Commission’s draft e-evidence proposal; and the draft Second Additional Protocol to the Budapest Convention on Cyber Crimes.
The expected efficiency of such arrangements comes from the elimination—or at least minimal involvement—of the other country’s judicial and administrative authorities while seeking data access. But this is also what makes direct access problematic from a privacy perspective—it effectively makes private businesses the last bastion of hope against privacy intrusions. There are also several differences in the scope of data being covered; rights of individuals and contracting party(ies), and procedural safeguards under the three instruments. For instance, the CLOUD Act is silent on the requirement of providing notice to the individual whose data is being sought—this is left to be governed by domestic laws. The European Commission’s e-evidence proposal, however, allows for a necessary and proportionate delay in issuing notice, but mandates that the individual be notified after such delay.
Also read: Surveillance a massive challenge for mental health, so India needs robust data protection laws
While India is currently not part of any direct-access discussions, it is perhaps only a matter of time before this happens. Joining the Budapest Convention would be the most logical starting point. We, however, argue that domestic surveillance reform—both in terms of the text of the law and its implementation—must be a precondition for any direct data arrangements. It is also important that India’s position on these aspects should not be dictated solely by provisions of the CLOUD Act, or any other available templates. The issues at stake are too significant to be left to the discretion of a handful of negotiators and interests. India’s position on direct access, therefore, needs to evolve through a multi-stakeholder initiative tasked with the responsibility of framing a model access agreement through an open and consultative process.
Enabling data access to aid the state’s law enforcement functions is a legitimate goal, but one that has to take place within a rights-respecting framework. Domestic surveillance reform and international collaboration will have to work hand in hand to achieve this goal.
Smriti Parsheera is a researcher at the National Institute of Public Finance and Policy and a fellow with the CyberBRICS Project. Prateek Jha is a program coordinator and research assistant at the Technology and Society Program at Carnegie India. Views expressed are personal.
This article is part of a series examining The Geopolitics of Technology in partnership with Carnegie India, leading up to its virtually held Global Technology Summit 2020 from 14-18 December 2020. More details about the summit are available here. ThePrint is a digital partner. Read all the articles in the series here.