US pressure threatens to weaken data - localisation mandate in India's landmark data-protection bill

The article by Sandhya Sharma was published by ET Prime on August 19, 2019. Arindrajit Basu was quoted.

Indian law-enforcement agencies have repeatedly expressed their unhappiness with America’s reticence on the sharing of critical data — whether it was around the 26/11 Mumbai attacks or procuring electronic evidence under the Mutual Legal Assistance Treaty (MLAT) from technology companies.

Top cybersecurity sources in the government tell ET prime that India’s own Personal Data Protection (PDP) Bill 2019 is in response to this. Cabinet nod to the bill is expected anytime, and it is likely to be tabled in the next session of Parliament. However, thanks to diplomatic pulls and pressures, a vital provision of the bill could end up markedly diluted. Sources in the Indian government say the US has conveyed it does not want the bill at all.

“We expect it will be a better mechanism than MLAT” for procuring data from technology companies, says a person aware of the development, while adding that the thorny question of data localisation is now a very small part of the bill. Across key bilateral engagements — US Secretary of State Mike Pompeo’s June visit to India, G20 meetings between Prime Minister Narendra Modi and President Donald Trump, and a US trade representative delegation visiting India for talks — American unease with the growing “protectionism” in Indian policy has remained a key talking point.

"Forum members oppose data localisation policies, and we look forward to sharing our concerns when the data protection bill gets introduced in Parliament,” says Susan Ritchie, vice-president of technology, media, and telecommunications at lobby group U.S. India Strategic Partnership Forum (USISPF).

“An environment where regulatory coherence is a governmental priority provides industry with greater predictability and stability resulting in increased investment." A toothless treaty? According to policy experts, MLATs have been the most widely used method for cross-border data sharing. India has signed MLATs with 39 countries, including the US. These treaties give India access to data stored on the cloud and call for data stored by multinational service providers within the jurisdiction of the partner country. However, MLATs are time consuming and have failed in their basic function in the past, sources say, and hence the government was keen to hold the data of Indians back in India, including data pertaining to e-commerce transactions, banking, healthcare, etc.

According to the Justice Srikrishna Committee report, eight of the 10 most accessed websites by Indians are owned by US entities. If data is exclusively processed in India, it will potentially cut off foreign surveillance, the report also notes, while highlighting a three-pronged approach to Indian data to reduce dependence on MLATs.

Talking exclusively to ET Prime, Justice BN Srikrishna says, “MLAT is a long-drawn process and hence the process goes through several diplomatic and judicial channels. It takes anywhere between 18 months to two years to get the information from the foreign technology companies for any investigation [and] much more time for extracting information on taxation and other financial matters…. Once the data of Indian citizens is in India, it will be much easier for law enforcement agencies to take the data for investigation purposes. In the past, the technology companies have dilly-dallied on the information requests of Indian law enforcement agencies.” To be sure, the report does not claim "perfect compliance" through data localisation and it clarifies that for data owned by companies like Google a "conflict of law" might arise if the country of registration — in this case the US — also asserts jurisdiction.

According to the report, between January and June 2017, Google received 3,843 user data-disclosure requests by Indian governmental agencies. Google refused to provide data in 46% of the cases. Now with the PDP Bill, Indian officials can easily get their hands on the data of Indian citizens not residing in India, says Justice Srikrishna. US resistance US tech-industry insiders tell ET Prime on condition of anonymity that no law-enforcement agency should be allowed 100% unfettered access to information. They claim MLATs have been successful in most cases of intelligence sharing around terrorism and national security.

“National security” is a very wide concept in India, unlike in the US where it generally refers to international activities, they say. Jacob Gullish, senior director for digital economy at the lobby group US India Business Council (USIBC), says the term MLAT is often used incorrectly as a catch-all. MLATs are designed for a very narrow and a specific purpose: where the transmitted information is admissible in the foreign country’s judicial system, he says. “In these cases, information has to be handled carefully to ensure the request complies with domestic laws and the transmission is certified for authenticity and a chain of custody, as well as packaged to allow its use as evidence in a foreign court. This process takes time, and the business community supports MLAT reform.

“Just like in the physical world, due process rights for the citizens of the world’s largest and the world’s oldest democracies must be respected in the digital domain. Companies also need legal certainty when operating between different jurisdictions. The bottom line is that law enforcement agencies (LEAs) on both sides need to develop clear processes and procedures, as well as trusted relationships, which will facilitate information exchange during an investigation.” A Google spokesperson echoes Gullish. “On urging from us and other Internet companies, MLAT processes have improved and in most cases responses are provided in a week or two,” the spokesperson says.

“In addition, we are also advocating for MLAT reform, including supporting calls to invest over [USD20 million] to address insufficient staffing, and helping investigators around the world better understand the MLAT process, to help expedite requests.” Other industry insiders claim that US companies field a high volume of requests and respond quickly for the most part, and that ultimately all of this goes back to trust. In December 2011, a Delhi court had issued summons to 21 companies, including Facebook, Microsoft, Google, Yahoo, and YouTube, to face trial for allegedly hosting objectionable content promoting hatred or communal disharmony.

The then IT Minister Kapil Sibal had asked Google and Facebook to ensure prompt removal of offensive material, complaining that the companies had not cooperated in the past. Concerns with data-localisation norms in the present state 1. Diplomatic and political: Data-localisation mandates could impact India’s trade relationships with partners like the US. 2. Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres increases the exposure to exploitation by malicious actors. 3. Economic impact: Restrictions on cross-border data flow may harm economic growth by increasing compliance costs and entry barriers for foreign service providers, thereby reducing investment or forcing businesses to pass on these costs to the consumers. The major cost pertains to setting up data centres in India.

Further, for startups looking to attain global stature, reciprocal restrictions slapped by other countries can be a serious hurdle. “Data localisation would be most effective if it is — (a) done after India updates its privacy and security standards by passing the Personal Data Protection Bill 2019; (b) done sectorally, after considering how critical it is to store the data in India; (c) done conditionally in (i) the country where data is transferred having equivalent privacy and security safeguards, both de jure and de facto and (ii) the presence of an executive data sharing agreement,” says Arindrajit Basu, senior policy officer at New Delhi-based think tank Centre for Internet and Society. This is essentially what the international community describes as “free flow of data with trust” — the G20 mandate which India recently rejected. Can the US CLOUD Act solve for the lack of information access? A section of policy experts argues that the localisation mandate proposed in India’s new bill does not solve an important problem: What happens when law-enforcement agencies need access to data relating to a foreigner stored in a server located in another jurisdiction by a company incorporated in the US? Will the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) passed in the US last year help?

The US has recently amended the CLOUD Act after a dispute between Microsoft and the US government. The law now ensures two things: American law-enforcement agencies will get access to data held by US cloud service providers (CSPs) regardless of jurisdiction, and allow “qualified foreign governments” to access data stored by US CSPs. This has given rise to a view that the CLOUD Act could be the silver bullet countries like India need to push US tech companies to share data in a timely fashion. Basu of the Centre for Internet and Society says, “India should use the threat of data localisation to negotiate an executive arrangement under the CLOUD Act. India would fare better if it were to use the language of international law to articulate its position in the MLAT reform process, or to propel itself to a better position under the CLOUD Act (which requires countries to demonstrate a commitment to a free and open Internet) or potentially pursue negotiations for a multilateral data sharing treaty.” Siddharth Jain, assistant commissioner in Delhi Police and an expert in investigating cyber-crime issues, says Indian technology firms do provide adequate and timely information about suspicious transactions; however, US firms are lax in sharing information.

Telangana IPS officer Rema Rajeshwari concurs that it’s a problem for law-enforcement agencies to cull out information from some US technology companies. Data-protection bill already diluted? ET Prime has learned that the net result of the pulls and pressures exerted by US commercial and diplomatic interests is that data localisation now remains just a small part of India’s data-protection bill. The Ministry of External Affairs maintains that the US-India relationship is “extremely important”. After President Trump’s controversial comments on offering mediation on the Kashmir issue, ministry spokesperson Raveesh Kumar said, “We are very strong strategic partners and we have brought in deep convergences across a range of issues.

We have excellent trade and investment linkages and are moving toward high defence and technology tie-up.” It’s not just political posturing by India to maintain the tricky relationship at a time when the Trump administration is coming up with reports one after the other criticising the country’s proposed data-protection policies. The PDP Bill was listed to be tabled in Parliament in the first session of the Modi 2.0 government but is yet to see the light of the day. If India tables the draft bill without making concessions that ease the demands on US technology companies, it will severely harm the India-US technology relationship, according to some US policy lobbyists. However, government sources tell ET Prime that the bill now has “data localisation as a very small part”, meaning that it is already likely diluted due to US pressure tactics. Sources say the non-critical data of an individual like height, weight, bank-account number, etc., will not need to be mandatorily stored in India. However, biometric data will have to be stored locally.

Top policymakers who were consulted for the Justice Srikrishna Committee report say should the bill be diluted under duress, it will be a sorry statement for India’s data-protection regime. Meanwhile, with nationalistic sentiments in full flourish during the new Modi government’s first Parliament session, the Ministry of Electronics and Information Technology issued a note that “the bill being prepared will address India’s sovereign data concerns and provide a framework to boost innovation in India while complying with the directives contained in the judgment of [the Honourable Supreme Court]”.

India and EU: a potential template In contrast to the Indo-US friction, India’s understanding with the European Union (EU) on the issue of data protection offers a potential template. India is looking at dialing EU to seek ‘adequacy’ status with the General Data Protection Regulation (GDPR) once it passes the PDP Bill. Tomasz Kozlowski, EU Ambassador to India, said at the recent ET 5G Congress, “Data protection is an important element of EU-India cooperation.

With such a law in place, India will be joining the global trend of global convergence toward a modern data-protection law, and take a leadership role in the region and globally, at a time when the need to address challenges to data privacy and security requires a common approach.” Kozlowski added that the “adoption of strong data protection law will also pave way for EU-India discussions and further facilitate data flows.” Top cybersecurity sources in the Indian government point out that the US has agreed to GDPR, which is far more stringent than the Indian Bill. If so, why make noise about India’s data-localisation demands?