Data flow across borders has grown from a trickle to a torrent. The issue of a country’s law enforcement agencies’ access to personal data of its citizens stored outside its territory is likely to become increasingly important in the near future. Crime, security and even political activism have long had transnational dimensions, but it is relatively recently that they have acquired an electronic dimension as well.
Personal data stored in electronic form has to be accessed in accordance with domestic legislation, foreign legislation and, as we shall see, executive agreements between nations. The domestic legislation and international cooperation are inextricably intertwined.
In this light, it is relevant to examine India’s forthcoming data protection legislation and the United States’ Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). The CLOUD Act is an example of a framework which helps overcome conflict of laws and further international cooperation.
Data Protection Bill provides a framework
India’s draft Data Protection Bill, 2021 (the DP Bill), which was submitted by the Joint Parliamentary Committee along with its recommendations to amend the older Personal Data Protection Bill, 2019 is likely to be enacted into law in the near future, with such amendments as Parliament may incorporate. The DP Bill also applies to the processing of personal data by entities not present within the territory of India. The DP Bill provides for the setting up of a Data Protection Authority (the Authority), whose duties will include monitoring the cross-border transfer of personal data. Most importantly, the DP Bill provides that this Authority may require entities which collect, store, record, transmit, use or perform certain other specified operations on personal data, to provide such information as may be reasonably required by the Authority for discharging its functions.
The DP Bill provides for the processing (a term which includes disclosure by transmission) of personal data, even without the consent of the natural person to whom such data relates, provided it is under any law made by Parliament or a State Legislature, in certain cases. These cases include, among others, where the personal data is required for compliance with any order or judgment of any court or tribunal in India, to respond to any medical emergency involving a threat to life or health, to provide medical treatment or health services during an epidemic, outbreak of disease or any other threat to public health or to ensure safety and provide assistance during any disaster or breakdown of public order.
It therefore follows that the Data Protection Authority may require an entity which qualifies as a data fiduciary or a data processor under the DP Bill, to disclose either the personal data or some information about personal data, irrespective of the fact such an entity is located abroad or the data is stored abroad. While this may be music to the ears of Indian law enforcement agencies, domestic laws are not sufficient by themselves to bring about compliance from entities located outside the territory of India. The laws of the foreign country where such data may be stored, also have a role to play.
CLOUD Act and its significance
This is where the United States’ Clarifying Lawful Overseas Use of Data Act (“the CLOUD Act”) comes into the picture.
The CLOUD Act is an enabling framework, which allows sharing of data by US based entities with foreign law enforcement agencies, pursuant to an Executive Agreement between the US and individual foreign countries. According to US Department of Justice’s 2019 White Paper on Purpose and Impact of the CLOUD Act, communications service providers subject to US jurisdiction must disclose data that is responsive to valid US legal process, regardless of where the company stores the data.
The CLOUD Act is expected to help overcome situations of conflict of laws such as the obstacles placed by the United States’ Electronic Communications Privacy Act,ECPA), which prohibits United States based service providers from the sharing of contents of electronic communications with either US or foreign law enforcement agencies, with very limited exceptions.
Safeguards within the CLOUD Act
However, for any foreign country to enter into an executive agreement under the CLOUD Act with the US, the country’s domestic law must be determined to afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection activities” of the foreign Government. The CLOUD Act lays out certain factors to be considered in making such a determination, including whether the foreign country is a party to the Budapest Convention on Cybercrime, and if not a party, then if the domestic laws of the foreign country are consistent with the definitions and requirements set forth in that Convention. Such foreign Government must also demonstrate respect for the rule of law and principles of non-discrimination and demonstrate respect for international universal human rights.
India still has some way to go
India is not a party to the Budapest Convention and therefore, if it seeks to enter into an executive agreement, there will be scrutiny of the extent to which India’s domestic laws are consistent with the definitions and requirements set forth in the Budapest Convention.
It is fair to say that any determination of the robustness of India’s substantive and procedural protections for privacy and civil liberties will be a highly subjective exercise. At the same time, it may be fairly argued that India’s domestic legislations such as the Information Technology Act and the various Rules framed thereunder, do incorporate the definitions and requirements under the Budapest Convention.
While the CLOUD Act provides an enabling mechanism to overcome the conflict of laws in relation to entities in US jurisdiction, a question mark remains over how the Data Protection Authority can obtain personal data stored in jurisdictions which do not have such mechanisms, such as China.
The existing mechanism of the India-US Mutual Legal Assistance Treaty, is highly bureaucratic and individual requests for data and information placed by Indian law enforcement agencies pass through a cumbersome route (via the Indian Ministry of Home Affairs and the US Department of Justice), often coming up against barriers placed by the ECPA.
It would be in India’s interests to enter into an executive agreement with the US, in order to benefit from the enabling framework provided by the CLOUD Act. But while an internal debate rages about India’s commitment to privacy, data protection and human rights, this is easier said than done.