An India-US agreement under the CLOUD Act

Globalization has increased opportunities for economic growth as well as transnational crimes. With the increasing technological advancements, the nature of crimes has changed, with cross-border offenses becoming more complex every day. Crimes are committed in the domestic territory but the evidence for the same is held in a foreign jurisdiction. Therefore, access to data generated by online platforms could prove significant in a police investigation of both online and offline crimes. Yet, a lot of this data remains inaccessible as it is stored predominantly under the control of companies located in the United States, where companies are not permitted to disclose information to foreign jurisdictions. 

There has been a steady rise in Indian Law Enforcement Agencies (LEAs) requesting US services providers for access to data, to assist them in a criminal investigation. But companies can only respond with “basic subscriber information”. Where more information is needed, enforcement agencies have to follow the process under Mutual Legal Assitance Treaties (MLAT). The process has been criticized by the Indian police as cumbersome and slow, with some requests taking up to 3 years to be resolved. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) aims to function as a workaround to the MLAT process and make the investigation of transnational crimes easier.

INDIA AND CLOUD ACT

Enacted in 2018, the CLOUD Act has a twofold function. First, it allows the US government to order the production of electronic evidence in the “possession, control or custody” of US service providers, no matter where such evidence is stored. Secondly, it provides an avenue for foreign law enforcement agencies to directly access electronic data held by US service providers when investigations of “serious crimes” is concerned, through an executive agreement drawn up by the countries. US and UK became the first countries to enter into an agreement under the act in 2019, followed by Australia in 2021.

The cloud act puts certain conditions and procedural safeguards on the access of data by foreign governments. The orders should be for serious crimes and must relate to a specific individual. There must be a reasonable and clear justification for the issue of such an order, and be subject to independent review or oversight. To qualify under the act, a country must afford robust substantive protections for privacy and civil liberties in terms of government handling of data. The government must demonstrate respect for rule of law, non-discrimination, and a commitment to international human rights. They must provide protection against unlawful interference with privacy, freedom of speech of individuals, and arbitrary arrests and torture.

Though India is yet to explore a CLOUD Act agreement with the US, the following laws governing the surveillance and access to electronic data may be governed:

• The IT Act 2000 

The IT Act 2000 governs the interception, monitoring, and decryption of data in electronic form by state and central government. The “interception rules” steam from the IT Act

• The telegraph act

These set out rules for phone tapping. The interception rules borrow heavily from the act.

• The Criminal Procedure Code 1973

The code governs criminal investigations, including access to evidence under sections 91 and 93. Law Enforcement Agencies routinely issue orders under the CRPC to tech companies instead of under the IT Act 2000

The CLOUD act requires the US government to evaluate if the partner country has:

Clear mandates for government access and effective oversight

• Under CRPC 

In India, CRPC is invoked to issue orders to companies to share data. This may be done either by a court or a police officer and is commonly used by a police officer, without securing a court order. There are no other safeguards mentioned. This might fail to pass the CLOUD act threshold of clear mandates to access. Though, the police can be asked to get a court summons issued to meet the standards of the CLOUD act. Further safeguards may be added through agreements providing restricted collection, access, and use of data, retention period, and other technical safeguards.

• IT Act

The IT Act provides for an oversight mechanism through review committees but their independence has been questioned by privacy experts. The rules were also challenged in the Supreme Court for not ensuring enough independent oversight of surveillance orders. It was argued that judicial oversight was a must to protect individual rights. Such concerns may resonate with the US when assessing our surveillance laws.

Commitment to global free flow of information and an open Internet

India has data localization obligations under various laws. The Reserve Bank of India requires financial institutes to store payment information locally and delete them from servers located in foreign jurisdictions. The recent CERT-in directions also have a data localization mandate. Moreover, the proposed Data Protection Bill 2021 requires companies must store “sensitive personal data” and “critical personal data” in India. Such restrictions will likely be viewed adversely in determining India’s commitment to the free flow of information across borders.

Conclusion

India will need to re-evaluate and amend at least some of its existing laws to meet the requirements of the CLOUD Act. The proposed data protection law provides India with an opportunity to close any gaps in existing data access laws and could offer certain additional protections to bolster its case that the country has robust protections for privacy and clear mandates for government access and oversight. The prior agreements under the CLOUD act also suggest that the US does not expect the same protections from foreign countries as present in its own. Though, the data localization mandates by the Indian government may pose an obstacle in pursuing an executive agreement with the United States.