Consider a scenario where a crime is committed in India and the suspect and victim are both Indian citizens. If the suspect used a U.S.-based messaging service to plan the crime, an Indian officer investigating would have to raise a request for data to the U.S. government where it is stored.
Two weeks ago, U.S. President Donald Trump signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which will enable the U.S. government to enter into agreements with like-minded states for cross-border data sharing. This will allow law enforcement agencies from these states to directly obtain electronic data, held by communication service providers headquartered in the U.S., to combat crime. New Delhi, on the back of this development, will soon push for an India-U.S. data sharing agreement to serve the interests of its law enforcement and, more importantly, to make headway in the global cyber norms conversation.
Today, to prevent, mitigate or prosecute even a routine crime, a police officer seeks timely access to electronic data. The data are often rendered inaccessible, largely due to two reasons. One, popular service providers increasingly store electronic communications in the cloud, breaking the data into “shards” and distributing the data across different countries. While these companies offer services in India, they do not store the data locally. Two, the current U.S. law prohibits service providers from disclosing user data to foreign law enforcement agencies.
The passing of the CLOUD Act comes at a time when the problematic data gathering practices of Cambridge Analytica have occupied public discourse. The CLOUD Act, however, symbolises the other, less explored side of the coin — when user data are sought for legitimate security needs.
The current system is broken
India in the first half of 2017 requested data from Facebook 9,853 times, of which only 54.3% were met. Over the years, requests from Indian law enforcement to American service providers have been on a steady rise.
Companies like Facebook, however, can directly respond only to requests for “basic subscriber information” — that is, data that a user provides at the time of signing up for a service (name, email address, etc.). Indian law enforcement officials often point out that the police need access to more information on the user, such as the content of an online conversation, to further their investigations.
The police need this information not only for traditional crimes with a cyber element, but also for more complex, transnational investigations. Cross-border crimes such as cases of online radicalisation would require agents to access data that are stored abroad.
Currently, an officer in India would have to make a request for electronic data under the India-U.S. Mutual Legal Assistance Treaty to access content data held by a U.S. company. This process has often been criticised by the Indian police for being time consuming, sometimes even taking as long as three years, as well as being cumbersome and outdated.
A workaround
Following years of negotiations between foreign law enforcement officials and the U.S. government, the latter has managed to find a workaround through the CLOUD Act. The law has been introduced to alleviate not just the concerns of other states but also its own, as was seen in the legal battle between the U.S. government and Microsoft over access to an email. With the enactment of the CLOUD Act, an Indian officer for the purposes of an investigation will no longer have to make a request to the U.S. government but can approach the company directly.
However, to operationalise the new data sharing arrangement through a bilateral agreement, the U.S. establishment has introduced an important caveat. The U.S. requires the foreign states to share a common commitment to the rule of law and the protection of privacy and other civil liberties. India would be considered to satisfy these requirements based on a determination by the U.S. Attorney General.
Among many commitments, to qualify for an executive agreement, India will need to ensure that its authorities collect, retain, use and share data as per an established procedure. In addition, Indian laws must provide for electronic data requests to be reviewed by a court or other independent authority. As of now, India falls short of these requirements. However, with the government looking to legislate on a new data protection law, this can soon change.
Madhulika Srikumar is a Junior Fellow with the Cyber Initiative at Observer Research Foundation, New Delhi
