Sharing data across borders
Two weeks ago, U.S. President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which will enable the U.S. government to enter into agreements with like-minded states for cross-border data sharing.
The law has been introduced to alleviate not just the concerns of other states but also its own, as was seen in the legal battle between the U.S. government and Microsoft over access to an email.
The passing of the CLOUD Act comes at a time when the problematic data gathering practices of Cambridge Analytica(CA) have occupied public discourse.
What is CLOUD Act?
The CLOUD Act establishes procedures for law enforcement requests for data in other countries.
The Act allows certain foreign governments to enter into new bilateral agreements with the United States. This new agreement will enable foreign nations to make data requests directly to U.S. companies rather than via U.S. government.
The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.
How does it work?
Consider a scenario where a crime is committed in India and the suspect and victim are both Indian citizens and used a U.S.-based messaging service to plan the crime.
Before this Cloud Act, an Indian officer investigating would have to raise a request for data to the U.S. government where it is stored.
But after Cloud act, investigating agencies may directly make a request for information from the service providers in US provided US and Indian governments entered into a new bilateral agreement for data sharing.
How does it benefit India?
Timely access to electronic data for police required to prevent, mitigate or prosecute even a routine crime.
The data are often rendered inaccessible for two reasons:
First one is that popular service providers increasingly store electronic communications in the cloud, breaking the data and distributing it across different countries. While these companies offer services in India, they do not store the data locally.
Other reason is that the U.S. law prohibits service providers from disclosing user data to foreign law enforcement agencies.
India in the first half of 2017 requested data from Facebook 9,853 times, of which only 54.3% were met.
Over the years, requests from Indian law enforcement to American service providers have been on a steady rise.
Companies like Facebook can directly respond only to requests for basic subscriber information. However, the police need access to more information on the user, such as the content of an online conversation, to further their investigations.
The police need this information not only for traditional crimes with a cyber-element, but also for more complex, transnational investigations. Cross-border crimes such as cases of online radicalisation would require agents to access data that are stored abroad.
Currently, the process of requesting for such data is cumbersome and will consume more time.
With the enactment of the CLOUD Act, an Indian officer for the purposes of an investigation will no longer have to make a request to the U.S. government but can approach the company directly.
What are the conditions placed?
To operationalize the new data sharing arrangement through a bilateral agreement, the U.S. establishment has introduced an important condition.
The U.S. requires the foreign states to share a common commitment to the rule of law and the protection of privacy and other civil liberties.
India will need to ensure that its authorities collect, retain, use and share data as per an established procedure.
In addition, Indian laws must provide for electronic data requests to be reviewed by a court or other independent authority.
As of now, India falls short of these requirements.
However, Country like India, where crime rate has increased by using social media as a platform, would require access to such data from service providers who store data in US.
New Delhi can push India-U.S. data sharing agreement to serve the interests of its law enforcement agencies.